Click here to Skip to main content
15,897,371 members
Search within:


Where the SQL query is wrong?
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
SQL
I am using VB.net (2010) for database management with a MSAccess 2003 database on Windows10. For deletion of a record I using sql query:

VB.NET
query = "DELETE * FROM monthOverAll WHERE actDate =" + catchDate + "AND doneBy =" + catchDoneBy + "AND (Training > 0) OR (EA > 0) OR (OFT > 0) OR (FLD > 0) OR (splEvent > 0) OR (farmProd > 0) OR (CovidActivity > 0) OR (CFLD > 0))"


where:
monthOverAll is the table
actDate, doneBy, Training, EA, OFT, FLD, splEvent, farmProd, CovidActivity, CFLD are database fields.
catchDate, catchDoneBy are variables.

while executing it I get the following error. Can anyone please help me with this. Thanks in advance.

Syntax error (missing operator) in query expression 'actDate =03-Aug-21AND doneBy =DR GPM SINGHAND (Training > 0) OR (EA > 0) OR (OFT > 0) OR (FLD > 0) OR (splEvent > 0) OR (farmProd > 0) OR (CovidActivity > 0) OR (CFLD > 0))'.


What I have tried:

I have tried all sorts combinations but nothing seems to work.
Posted
Updated 2-Aug-21 23:08pm
v3
Add a Solution

2 solutions

Do NOT use concatenated strings! Due to the Sql Injection[^] use parameterized queries instead.

See:
Create Parameterized Queries in ADO.NET -- Visual Studio Magazine[^]
How and Why to Use Parameterized Queries - Microsoft Tech Community[^]
 
Share this answer
 
Posted
Updated 2-Aug-21 23:09pm
v2
Comments
CPallini 3-Aug-21 5:09am    
5.
Maciej Los 3-Aug-21 9:40am    
Thank you, Carlo!
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Fix that security vulnerability, and remove the extra closing parenthesis, and you'll also fix your error.
VB.NET
Using cmd As New OleDbCommand()
    cmd.Connection = conn
    
    cmd.CommandText = "DELETE FROM monthOverAll WHERE actDate = ? AND doneBy = ? And (Training > 0) OR (EA > 0) OR (OFT > 0) OR (FLD > 0) OR (splEvent > 0) OR (farmProd > 0) OR (CovidActivity > 0) OR (CFLD > 0)"
    cmd.Parameters.AddWithValue("actDate", catchDate)
    cmd.Parameters.AddWithValue("doneBy", catchDoneBy)
    
    cmd.ExecuteNonQuery()
End Using
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 
Posted
Comments
Maciej Los 3-Aug-21 5:09am    
5ed!
CPallini 3-Aug-21 5:09am    
5.
Krishi Vigyan Kendra Allahabad 9-Aug-21 0:59am    
Thanks very much Richard. This works fine.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Sql query syntax error
sql query is giving wrong output
What is wrong in the SQL query of mine?
What's wrong with SQL Query?
What is wrong in the below SQL query
what is wrong in this query
What wrong with the query
What wrong with this query ?
Sql - merge 2 queries into 1
Is my SQL query naming style wrong?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 3 Aug 2021
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900