add record contain two combobox vb.net access

Question

1.00/5 (1 vote)

See more:

hello,

i have a problem with two combobox when i want to add new record:

i have 3 table
product (id_prdt,....., idcat,idsup )
category_prodcut(idCatPrdt,.....)
supplier(id_sup,......)

i have a form contain all the information for the product and two combobox one for supplier and the other for categoryProduct.

this is the code:

Try
            CN.Open()
            cmd5.Connection = CN
            Dim dr5 As OleDbDataReader
            cmd5.CommandText = "insert into Produits values('" & TextBox1.Text & "','" & TextBox2.Text & "','" & TextBox3.Text & "','" & TextBox4.Text & "','" & TextBox5.Text & "','" & TextBox6.Text & "','" & TextBox7.Text & "','" & TextBox8.Text & "','" & TextBox9.Text & "','" & TextBox10.Text & "','" & DateTimePicker1.Text & "','" & ComboBox1.Text & "','" & ComboBox2.Text & "')"
            dr5 = cmd5.ExecuteReader
            MsgBox("Enregistré avec succée")     CN.Close()
        Catch ex As Exception

        End Try

in the form load i fill the combo of category_prodcut;

VB

Try
                Dim dr1 As OleDbDataReader
                CN.Open()
                cmd1.Connection = CN
                cmd1.CommandText = "select * from Categories"
                dr1 = cmd.ExecuteReader
                Remplir_Liste_Produits()

                While dr.Read
                    ComboBox2.Items.Add(dr.GetValue(1))
                End While
                CN.Close()
            Catch ex As Exception

            End Try
<pre lang="vb">

The problem when i try to use code to fill the second combobox i didn't know no error and no result:
Note: no link direct between the two table category product and supplier.

this the code of the form load:

VB

Private Sub Ajouter_Produit_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        'Categories
        Try

            Dim dr As OleDbDataReader

            CN.Open()
            cmd.Connection = CN
            cmd.CommandText = "select * from Categories "
            dr = cmd.ExecuteReader
            Remplir_Liste_Produits()
            While dr.Read
                ComboBox1.Items.Add(dr.GetValue(0).ToString)
            End While
            CN.Close()
        Catch ex As Exception

        End Try

        'Fournisseurs
        Try
            Dim dr1 As OleDbDataReader
            CN.Open()
            cmd1.Connection = CN
            cmd1.CommandText = "select * from Fournisseurs "
            dr1 = cmd.ExecuteReader
            Remplir_Liste_Produits()

            While dr1.Read
                ComboBox2.Items.Add(dr1.GetValue(1))
            End While
            CN.Close()
        Catch ex As Exception

        End Try
    End Sub

Thank you for help

Posted 14-Jul-15 4:27am

adoul1

Updated 14-Jul-15 4:34am

v2

Add a Solution

Comments

Richard Deeming 14-Jul-15 11:34am

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

adoul1 14-Jul-15 11:56am

thank you for your advice but should i repreat all my code for all my project. no solution for that!!!!

Richard Deeming 14-Jul-15 12:02pm

Well, if you're not going to fix it, be prepared to explain to your boss why your company is being sued after your database has been stolen.

Or how your server was hacked and used to spread malware.

Or any of the other nasty things that will happen when you give attackers complete and unrestricted access to your server.

adoul1 14-Jul-15 12:13pm

Visual Basic.net with Access 2007 database not server

Richard Deeming 14-Jul-15 12:19pm

Even worse. You have no means of securing the data, so any user can insert, update or delete any data they want, and there's nothing your program can do to stop them.

You're deliberately leaving a major security vulnerability in your code because you can't be bothered to go back and fix it.

adoul1 14-Jul-15 12:40pm

let the security in another problem.
so have you any idea to help me for the current problem with the same code that i did

[no name] 14-Jul-15 16:20pm

You would need to update your "question" with actual code and data you are using. According to your code and description, you are getting data from database tables that do not exist. That is to say you are querying a Categories table but according to your description of your database, no such table exists.

Ralf Meier 15-Jul-15 0:28am

OK ... back to your Project ...
What is the dependancy between supplier and product ? I think that not every supplier delivers each product. So the Combobox_Product could first time filled with data (and is accesible) when a supplier is selected. If I'm right you Need different load-methods - depending on the previous selection.
What about this ?

But finally : don't leave the advises from the others behind you. Nothing was told without a reason ...

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2015-07-14T10:06:00

Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA