Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

God Dam VB crap

Options
  • 09-03-2004 12:31pm
    #1
    Orlie
    Registered Users Posts: 61 ✭✭


    This is what I have...

    strSQL = "Update RoomFile SET RoomStatus = '" & NewRoomStatus & "'"
    strSQL = strSQL & " WHERE RoomName = " & grdEnquiry.Text

    The error is wrecking my head! I'm sure it's quite simple but I can't figure it out!

    Run-time error '3075'

    Syntax error (missing operator) in query expression 'RoomName = Alpine View'.

    error is on the dbHilton.Execute (strSQL)


Comments

  • Options
    #2
    [CrimsonGhost]
    Registered Users Posts: 1,023 ✭✭✭[CrimsonGhost]


    strSQL = "Update RoomFile SET RoomStatus = '" & NewRoomStatus & "'"
    strSQL = strSQL & " WHERE RoomName = '" & grdEnquiry.Text & "'"

    Or failing that immediately after do a
    msgbox strSQL
    And see exactly what the SQL statement is and post that up here.


  • Options
    #3
    Enygma
    Closed Accounts Posts: 1,651 ✭✭✭Enygma


    You need to wrap the Alpine View part in quotes.

    i.e.
    
strSQL = "Update RoomFile SET RoomStatus = '" & NewRoomStatus & "'"
strSQL = strSQL & " WHERE RoomName = '" & grdEnquiry.Text & "'"

    Don't forget you also need to escape any ' characters that might be in there already.


  • Options
    #4
    Enygma
    Closed Accounts Posts: 1,651 ✭✭✭Enygma


    beat me to it :)


  • Options
    #5
    watty
    Registered Users Posts: 32,417 ✭✭✭✭watty


    I try to do as much as possible with SQL Server stored procedures that take a parameter.

    This can be "faked" in Access/Jet by creating a "report" that takes a parameter. Honest.

    Advantages:

    Easier to debug
    Runs much faster (Oracle, DB2, MDSExx, MS SQL etc)
    You can make changes on server without recompiling and reinstalling the application.


  • Options
    #6
    [CrimsonGhost]
    Registered Users Posts: 1,023 ✭✭✭[CrimsonGhost]


    Originally posted by Enygma
    beat me to it :)
    We both posted at 11.48 so it must have been only by seconds.


  • Advertisement
  • Options
    #7
    Kernel32
    Registered Users Posts: 640 ✭✭✭Kernel32


    Using Stored Procs also helps with SQL injection attacks.

    What if you were using SQL Server, connecting using sa or equivalent(which happens a lot amazingly) and grdEnquiry.Text contains the following...

    '; shutdown with nowait --

    Thats just one example, dymanic sql is generally evil.


  • Options
    #8
    bonkey
    Registered Users Posts: 15,443 ✭✭✭✭bonkey


    Originally posted by LurkingIcon
    This can be "faked" in Access/Jet by creating a "report" that takes a parameter. Honest.

    Don't you mean by using a Query, rather than a Report?

    jc


  • Options
    #9
    watty
    Registered Users Posts: 32,417 ✭✭✭✭watty


    Yep I meant query!

    (Shows how often I use Access rather than "real" SQL).


  • Options
    #10
    Orlie
    Registered Users Posts: 61 ✭✭Orlie


    Thanks guys! Sorted it!


  • Options
    #11
    Talliesin
    Closed Accounts Posts: 9,314 ✭✭✭Talliesin 


    Function SQLEscape(Str as String) As String
	SQLEscape = Replace$(Str, "'", "''")
End Function
strSQL = "Update RoomFile SET RoomStatus = '" & SQLEscape(NewRoomStatus) & "'"
strSQL = strSQL & " WHERE RoomName = " & SQLEscape(grdEnquiry.Text)
    Not escapeing possible ' characters is buggy at best, insecure at worse, both most of the time.


  • Advertisement
  • Options
    #12
    Enygma
    Closed Accounts Posts: 1,651 ✭✭✭Enygma


    Is there anything like Java's PreparedStatement in VB?


  • Options
    #13
    bonkey
    Registered Users Posts: 15,443 ✭✭✭✭bonkey


    Originally posted by Enygma
    Is there anything like Java's PreparedStatement in VB?

    Sure.

    If you're using ADO - which would be the most common - then it would be a Command object.

    ADO.Net will have OleDbCommand, OdbcCommand, etc.

    Outside that, both RDO and DAO both have an equivalent as well, but buggered if I can remember what they're called.

    jc


Advertisement