What's wrong in my code

Question

1.00/5 (1 vote)

See more:

VB

Dim strid As Integer
Dim conn As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0; Data source=C:\Users\Dew\Documents\Shubham\ShubhamProj\StudLib.mdb")
conn.Open()
Dim cmd As OleDbCommand
cmd = conn.CreateCommand()
strid = CInt(User2nd.Text)
cmd.CommandText = "SELECT * FROM std_log where first_name='" & User1st.Text & "' and password='" & Password.Text & "' and id=' "& strid &" ';"
Dim dr As OleDbDataReader
dr = cmd.ExecuteReader()

Posted 8-Jun-14 7:03am

Member 10871611

Updated 8-Jun-14 7:43am

DamithSL

v3

Add a Solution

Comments

Member 10871611 8-Jun-14 13:05pm

An error iss coming when i add that id part in sql query, so please me in solving it...

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ) 8-Jun-14 13:06pm

What is that error?

phil.o 8-Jun-14 13:07pm

And the error is?
Did you try to debug?

Member 10871611 8-Jun-14 13:12pm

yup, it is showing this error
Data type mismatch in criteria expression.

3 solutions

Solution 2

As Peter pointed out in Solution 1, this is wrong approach, because you leave your application wide open to the well know exploit called SQL injecton. This is how:
http://xkcd.com/327[^].

This is what you need to use: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

See also: http://en.wikipedia.org/wiki/SQL_injection[^].

And please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

Posted 8-Jun-14 7:35am

Sergey Alexandrovich Kryukov

Comments

Peter Leow 8-Jun-14 13:45pm

Thanks, Sergey, for the reinforcement. 5ed!

Solution 3

try below code with sql parameters,

VB

cmd.CommandText = "SELECT * FROM std_log where first_name=? and password=? and id=?";
cmd.Parameters.AddWithValue("first_name", User1st.Text)
cmd.Parameters.AddWithValue("password", Password.Text)
cmd.Parameters.AddWithValue("id", strid)
Dim dr As OleDbDataReader
dr = cmd.ExecuteReader()

Posted 8-Jun-14 7:41am

DamithSL

Comments

Peter Leow 8-Jun-14 13:46pm

Thanks, DamithSL. 5ed!

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter Leow · Accepted Answer · 2014-06-08T07:23:00

Solution 1

Typo:

id=" & strid & ";"

However, you should use Parameter-Queries-in-ASP.NET-with-MS-Access[^] to prevent sql injection.

Posted 8-Jun-14 7:23am

Peter Leow

Updated 8-Jun-14 7:41am

v3

Comments

DamithSL 8-Jun-14 13:33pm

hi peter. i think it should be id=" & strid & ";" no need of single quote because of int value

Member 10871611 8-Jun-14 13:40pm

Thanku

Peter Leow 8-Jun-14 13:41pm

Thanks, you are right. missed the cint(). Amended.

Sergey Alexandrovich Kryukov 8-Jun-14 13:37pm

Good catch, 5ed.
In Solution 2, I provided important detail on how to make it right, please see.
—SA

DamithSL 8-Jun-14 13:54pm

sed :)