How to subtract in VB with Access DB
-
So i have a accdb name itemdb with table name Products and i want to subtract the value input in the txtbox8 to the field name RegBal so far i have this code
Imports System.Data.OleDb
Public Class OrderPublic conString As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\Users\\Landon-PC\\Documents\\Visual Studio 2010\\Projects\\Final\\Final\\bin\\Debug\\itemdb.accdb;Persist Security Info=False" Public con As New OleDbConnection Private Sub Form1\_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load con.ConnectionString = conString If con.State = ConnectionState.Closed Then con.Open() MsgBox("Connected") End If End Sub Private Sub Button4\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button4.Click End Sub Private Sub Button1\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Try Dim sqlQuery As String = "SELECT itemdb.Products, Products.RegBal, Products.RegBal- " & TextBox8.Text & " Dim sqlCommand As New OleDbCommand With sqlCommand .CommandText = sqlQuery .Connection = con .ExecuteNonQuery() End With MsgBox("SAVED") Catch ex As Exception MsgBox(ex.ToString) End Try End Sub Private Sub Button3\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click Me.Close() Main.Show() End SubEnd Class
-
So i have a accdb name itemdb with table name Products and i want to subtract the value input in the txtbox8 to the field name RegBal so far i have this code
Imports System.Data.OleDb
Public Class OrderPublic conString As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\Users\\Landon-PC\\Documents\\Visual Studio 2010\\Projects\\Final\\Final\\bin\\Debug\\itemdb.accdb;Persist Security Info=False" Public con As New OleDbConnection Private Sub Form1\_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load con.ConnectionString = conString If con.State = ConnectionState.Closed Then con.Open() MsgBox("Connected") End If End Sub Private Sub Button4\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button4.Click End Sub Private Sub Button1\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Try Dim sqlQuery As String = "SELECT itemdb.Products, Products.RegBal, Products.RegBal- " & TextBox8.Text & " Dim sqlCommand As New OleDbCommand With sqlCommand .CommandText = sqlQuery .Connection = con .ExecuteNonQuery() End With MsgBox("SAVED") Catch ex As Exception MsgBox(ex.ToString) End Try End Sub Private Sub Button3\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click Me.Close() Main.Show() End SubEnd Class
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
So i have a accdb name itemdb with table name Products and i want to subtract the value input in the txtbox8 to the field name RegBal so far i have this code
Imports System.Data.OleDb
Public Class OrderPublic conString As String = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\\Users\\Landon-PC\\Documents\\Visual Studio 2010\\Projects\\Final\\Final\\bin\\Debug\\itemdb.accdb;Persist Security Info=False" Public con As New OleDbConnection Private Sub Form1\_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load con.ConnectionString = conString If con.State = ConnectionState.Closed Then con.Open() MsgBox("Connected") End If End Sub Private Sub Button4\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button4.Click End Sub Private Sub Button1\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Try Dim sqlQuery As String = "SELECT itemdb.Products, Products.RegBal, Products.RegBal- " & TextBox8.Text & " Dim sqlCommand As New OleDbCommand With sqlCommand .CommandText = sqlQuery .Connection = con .ExecuteNonQuery() End With MsgBox("SAVED") Catch ex As Exception MsgBox(ex.ToString) End Try End Sub Private Sub Button3\_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click Me.Close() Main.Show() End SubEnd Class
First Richard Deeming is right, do not concatenate SQL strings form user input, wide open to injection attack, use parameterised queries. That said your SQL will do what you ask, however it is a SELECT statement which will return rows of data to your program, take it that part of your sqlQuery string is missing as you also need a FROM and table name. You execute it as NonQuery which will return nothing from a SELECT anyway, you need to look at UPDATE if you want to alter the values in table(s).
