Click here to Skip to main content
15,065,914 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I am using VB.net (2010) for database management with a MSAccess 2003 database on Windows10. For deletion of a record I using sql query:

VB.NET
query = "DELETE * FROM monthOverAll WHERE actDate =" + catchDate + "AND doneBy =" + catchDoneBy + "AND (Training > 0) OR (EA > 0) OR (OFT > 0) OR (FLD > 0) OR (splEvent > 0) OR (farmProd > 0) OR (CovidActivity > 0) OR (CFLD > 0))"


where:
monthOverAll is the table
actDate, doneBy, Training, EA, OFT, FLD, splEvent, farmProd, CovidActivity, CFLD are database fields.
catchDate, catchDoneBy are variables.

while executing it I get the following error. Can anyone please help me with this. Thanks in advance.

Syntax error (missing operator) in query expression 'actDate =03-Aug-21AND doneBy =DR GPM SINGHAND (Training > 0) OR (EA > 0) OR (OFT > 0) OR (FLD > 0) OR (splEvent > 0) OR (farmProd > 0) OR (CovidActivity > 0) OR (CFLD > 0))'.


What I have tried:

I have tried all sorts combinations but nothing seems to work.
Posted
Updated 2-Aug-21 23:08pm
v3

   
v2
Comments
CPallini 3-Aug-21 5:09am
   
5.
Maciej Los 3-Aug-21 9:40am
   
Thank you, Carlo!
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Fix that security vulnerability, and remove the extra closing parenthesis, and you'll also fix your error.
VB.NET
Using cmd As New OleDbCommand()
    cmd.Connection = conn
    
    cmd.CommandText = "DELETE FROM monthOverAll WHERE actDate = ? AND doneBy = ? And (Training > 0) OR (EA > 0) OR (OFT > 0) OR (FLD > 0) OR (splEvent > 0) OR (farmProd > 0) OR (CovidActivity > 0) OR (CFLD > 0)"
    cmd.Parameters.AddWithValue("actDate", catchDate)
    cmd.Parameters.AddWithValue("doneBy", catchDoneBy)
    
    cmd.ExecuteNonQuery()
End Using

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
   
Comments
Maciej Los 3-Aug-21 5:09am
   
5ed!
CPallini 3-Aug-21 5:09am
   
5.
   
Thanks very much Richard. This works fine.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900