Click here to Skip to main content
15,868,101 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Dim xId As Integer
Dim con As ADODB.Connection
Set con = New ADODB.Connection
Dim rsSearch As ADODB.Recordset
Set rsSearch = New ADODB.Recordset
con.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & App.Path & "\librarydb.mdb;Persist Security Info=False"

strId = Text1.Text

rsSearch.Open "select * from Studenttbl where ID=" & strId & "", con, adOpenStatic, adLockOptimistic

If rsSearch.BOF = True Or rsSearch.EOF = True Then
MsgBox "No Record Found."

Exit Sub
Else
Text1.Text = rsSearch!ID
Text2.Text = rsSearch!FirstName
Text3.Text = rsSearch!LastName
Text4.Text = rsSearch!Section
rsSearch.Close

End If
This is my problem
"rsSearch.Open "select * from Studenttbl where ID=" & strId & "", con, adOpenStatic, adLockOptimistic"

This is a Search button command

What I have tried:

I haven't tried anything yet so I came here and hoping for help, this is actually a project and I'm just starting to learn vb6
Posted
Updated 2-Nov-20 22:09pm
Comments
Richard Deeming 3-Nov-20 4:51am    
rsSearch.Open "select * from Studenttbl where ID=" & strId & "", con, adOpenStatic, adLockOptimistic

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

1 solution

Firstly, forget VB6 it is long dead. Get yourself a copy of Download Visual Studio 2019 for Windows & Mac[^] Community Edition, which is free. You can then start working on VB.NET which is the up to date and supported Visual Basic.

Secondly, when you extract some data from a field that is supposed to be filled in by the user, the first thing you must always do is validate it. Check it is not blank, it is in the correct format, it has valid characters etc. Do not assume that the user is as smart as you.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900