Click here to Skip to main content
14,270,872 members
Rate this:
Please Sign up or sign in to vote.
string query = string.Format( "Select {0}.{1},{2},{3}, {9}.{4},{5},{6} ,{7},{8} From {0} ;

i got this error Syntax error in string in query expression '(Mid(AttendanceLogs.InTime,EmployeeId,0) = Mid(Format(DateAdd(AttendanceDate,-4, NOW()), 'YYY-mm-dd),EmployeeId,0))'.
Updated 5-Nov-12 20:43pm
Rate this:
Please Sign up or sign in to vote.

Solution 1

The whole idea is wrong in principle. Your data you use for composing the query may come from UI, and anything can come, including… some SQL code fragments. This simple idea is the base of the well-known exploit called "SQL Injection". You cannot afford this to happen.

Please see:[^].

Please see this article and pay attention for the section "Parametrized statement". Even all aspects of the exploit and its mitigation can be very complex (I recently saw a whole thick book on this single topic), parametrized statements is a principle way fighting the problem.

This is how it looks in ADO.NET:[^],[^].

Good luck, stay safe,
Mohamed Mitwalli 6-Nov-12 1:50am
Thank you, Mohamed.
Rate this:
Please Sign up or sign in to vote.

Solution 2

Hi There,

I think you are trying to use MID as function.
If this is true, there are couple of problems I assume.

1. MID is function to find a substring from a coulmn. The way you have used doesn't seem right. The syntax for MID is
SELECT MID(column_name,start[,length]) FROM table_name

2. MID I think is not available in SQL 2008. It was/is there in Access. You can use substring method in SQL 2008. The syntax for the substring is same
SELECT substring(column_name,start[,length]) FROM table_name

In both cases length is an optional parameter.

Hope that helps

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100