SQL concatenation using Vb.net

Question

0.00/5 (No votes)

See more:

How to concat 2 sql statements?

Declaration in global:

Dim sqlSearch As String

Declaration in first function:

sqlSearch = " AND MONTH_T = '" + MonthSearch + "'"

Declaration in second function:

SQL

Dim sql1 As String = "SELECT DISTINCT MONTH_T FROM Q_VIEWREG WHERE CATEGORY_T = '" + Me.ddlSearchType.SelectedItem.Text + "' " & sqlSearch

After debugging, this is the result that I get for sql1:

SELECT DISTINCT MONTH_T FROM Q_VIEWREG WHERE CATEGORY_T = 'INTERNAL'

It doesnt concat the second statement. Why does it happen?

Posted 19-Jul-12 15:53pm

snamyna

Add a Solution

Comments

graciax8 19-Jul-12 22:50pm

how did you see that is doesn't concat the second statement?

snamyna 19-Jul-12 23:51pm

the full statement shud be SELECT DISTINCT MONTH_T FROM Q_VIEWREG WHERE CATEGORY_T = 'INTERNAL' AND MONTH_T = '201205'
but i only get SELECT DISTINCT MONTH_T FROM Q_VIEWREG WHERE CATEGORY_T = 'INTERNAL'

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Christian Graus · Answer 1 · 2012-07-19T16:15:00

Solution 1

I don't know, because I don't do VB, but it's a good thing it didn't. You NEVER build SQL this way, it leaves your code open to all sorts of attacks. Create paramaterised queries, or use stored procs. If anyone working for me built SQL like this, it would be instant dismissal.

Posted 19-Jul-12 16:15pm

Christian Graus

Comments

snamyna 19-Jul-12 22:47pm

Owh.. That wud be a good info. TQ Christian..

Simon_Whale · Answer 2 · 2012-07-23T06:26:00

Solution 3

I would have a read of this article

Using SqlParameter Class[^].

As I would also support Christians statement of using parameterised queries as it removes the possibility of sql injection.

Posted 23-Jul-12 6:26am

Simon_Whale

Kenneth Haugland · Answer 3 · 2012-07-23T06:29:00

Solution 4

Do not use + sign on strings in VB you have to use &......

Posted 23-Jul-12 6:29am

Kenneth Haugland

snamyna · Answer 4 · 2012-07-19T16:47:00

Solution 2

I just wrongly put the SQL statement in correct order. I have solved this. Thanks for your time.

Posted 19-Jul-12 16:47pm

snamyna