ASP.NET

ASP.NET RSS

need some help in my code please

Please support our ASP.NET advertiser: Intel Parallel Studio Home

Thread Solved

Last »

•

Join Date: Apr 2005

Posts: 129

Reputation: some one is an unknown quantity at this point

Solved Threads: 0

some one

Offline

Junior Poster

need some help in my code please

Jan 17th, 2008

hi every one i am trying to create shopping cart working with VB & access when i wrote add function an error occur i do not know how to solve"Syntax error in INSERT INTO statment" it please help me to solve the problem
a shot screen is attached contain page and exeption msg here is the function

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
Protected Sub getproduct_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles getproduct.Click
        Dim x As String
        x = Session("user")
        Dim LongTimeString As String = ""
        Dim DateToString As String = ""
        Dim ShortTimeString As String = ""
        Dim LongDateString As String = ""
        Dim Daysinmonth As Integer = 0
        Dim ErrorStr As String = ""
        Dim ErrorStr1 As String = ""
        con = New OleDbConnection
        Dim cmd As OleDbCommand = New OleDbCommand
        Dim Add As String
        con.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source='C:\Documents and Settings\USER\Desktop\my\WebSite2\App_Data\EC.mdb';Persist Security Info=True"
        If con.State = Data.ConnectionState.Closed Then
            con.Open()
        End If
        Dim OrderDate = System.DateTime.Now
        LongTimeString = OrderDate.ToLongTimeString
        Daysinmonth = System.DateTime.DaysInMonth(OrderDate.Year, OrderDate.Month)
        DateToString = OrderDate.ToString
        ShortTimeString = OrderDate.ToShortTimeString
        LongDateString = OrderDate.ToLongDateString
        If (product.Text = "") Then
 
            ErrorStr = ErrorStr & " Please Enter Product number, "
        End If
        If (Quantity.Text = "") Then
 
            ErrorStr1 = ErrorStr1 & " Please Enter Product quantity, "
        End If
        Dim pri = "SELECT price FROM product WHERE ProductNO='" & product.Text & "'"
 
        cmd.Connection = con
        cmd.CommandText = pri
        Dim s As String = cmd.ExecuteScalar()
        Add = "INSERT INTO order Values ('" & 1 & "','" & Quantity.Text & "','" & pri & "','" & Daysinmonth & "','" & x & "','" & product.Text & "');"
        cmd.CommandText = Add
        Try
            cmd.ExecuteNonQuery()
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
 
 
 
 
    End Sub
Protected Sub getproduct_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles getproduct.Click
        Dim x As String
        x = Session("user")
        Dim LongTimeString As String = ""
        Dim DateToString As String = ""
        Dim ShortTimeString As String = ""
        Dim LongDateString As String = ""
        Dim Daysinmonth As Integer = 0
        Dim ErrorStr As String = ""
        Dim ErrorStr1 As String = ""
        con = New OleDbConnection
        Dim cmd As OleDbCommand = New OleDbCommand
        Dim Add As String
        con.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source='C:\Documents and Settings\USER\Desktop\my\WebSite2\App_Data\EC.mdb';Persist Security Info=True"
        If con.State = Data.ConnectionState.Closed Then
            con.Open()
        End If
        Dim OrderDate = System.DateTime.Now
        LongTimeString = OrderDate.ToLongTimeString
        Daysinmonth = System.DateTime.DaysInMonth(OrderDate.Year, OrderDate.Month)
        DateToString = OrderDate.ToString
        ShortTimeString = OrderDate.ToShortTimeString
        LongDateString = OrderDate.ToLongDateString
        If (product.Text = "") Then

            ErrorStr = ErrorStr & " Please Enter Product number, "
        End If
        If (Quantity.Text = "") Then

            ErrorStr1 = ErrorStr1 & " Please Enter Product quantity, "
        End If
        Dim pri = "SELECT price FROM product WHERE ProductNO='" & product.Text & "'"

        cmd.Connection = con
        cmd.CommandText = pri
        Dim s As String = cmd.ExecuteScalar()
        Add = "INSERT INTO order Values ('" & 1 & "','" & Quantity.Text & "','" & pri & "','" & Daysinmonth & "','" & x & "','" & product.Text & "');"
        cmd.CommandText = Add
        Try
            cmd.ExecuteNonQuery()
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try




    End Sub

Last edited by some one; Jan 17th, 2008 at 11:36 am.

Attached Files

Doc2.doc (124.0 KB, 1 views)

•

Join Date: Apr 2005

Posts: 129

Reputation: some one is an unknown quantity at this point

Solved Threads: 0

some one

Offline

Junior Poster

Re: need some help in my code please

Jan 17th, 2008

I try to change in the statment but still the same error occour please help me

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
While (i <= 100)
            i = (i + 1)
 
 
            Dim pri = "SELECT price FROM product WHERE ProductNO='" & product.Text & "'"
 
            cmd.Connection = con
            cmd.CommandText = pri
            Dim s As String = cmd.ExecuteScalar()
            Dim a As String
            a = ("INSERT INTO order Values ( i  And Quantity.Text  And pri And  Daysinmonth And  x And  product.Text );")
            cmd.CommandText = a
        End While
While (i <= 100)
            i = (i + 1)


            Dim pri = "SELECT price FROM product WHERE ProductNO='" & product.Text & "'"

            cmd.Connection = con
            cmd.CommandText = pri
            Dim s As String = cmd.ExecuteScalar()
            Dim a As String
            a = ("INSERT INTO order Values ( i  And Quantity.Text  And pri And  Daysinmonth And  x And  product.Text );")
            cmd.CommandText = a
        End While

•

Join Date: Sep 2007

Posts: 1,080

Reputation: SheSaidImaPregy is an unknown quantity at this point

Solved Threads: 68

SheSaidImaPregy SheSaidImaPregy is offline

Offline

Veteran Poster

Re: need some help in my code please

Jan 17th, 2008

These are your problems:
1. You cannot add an integer into an integer column with quotes.
2. You're inserting directly into the SQL statement. Use parameters.

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
Add = "INSERT INTO order Values ('" & 1 & "','" & Quantity.Text & "','" & pri & "','" & Daysinmonth & "','" & x & "','" & product.Text & "');"
Add = "INSERT INTO order Values ('" & 1 & "','" & Quantity.Text & "','" & pri & "','" & Daysinmonth & "','" & x & "','" & product.Text & "');"

Do this insert statement, and please change your code to use parameters. It will protect you from SQL INJECTION. Cause of right now, I can easily type into any of these fields a drop command and your table will be dropped with all data. Anyway, here's your fixed insert statement.

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
Add = "INSERT INTO order Values (1," & Quantity.Text & "," & pri & "," & Daysinmonth & "," & x & "," & product.Text & ");"
Add = "INSERT INTO order Values (1," & Quantity.Text & "," & pri & "," & Daysinmonth & "," & x & "," & product.Text & ");"

This assumes all your fields are for integers and not text. Text columns you wrap in your quotes (" '" & .. & "' "), all integer fields you don't (" " & .. & " ")

•

Join Date: Apr 2005

Posts: 129

Reputation: some one is an unknown quantity at this point

Solved Threads: 0

some one

Offline

Junior Poster

Re: need some help in my code please

Jan 17th, 2008

thank you but still the same msg appear
it does not work

•

Join Date: Sep 2007

Posts: 1,080

Reputation: SheSaidImaPregy is an unknown quantity at this point

Solved Threads: 68

SheSaidImaPregy SheSaidImaPregy is offline

Offline

Veteran Poster

Re: need some help in my code please

Jan 17th, 2008

alright, well then there can be a few problems. Make sure all data types of your columns meet the correct ways of entering them (integer - no quotes in query :: text - quotes in query), then make sure you have the right number of columns in the query as you do on your database table. If you have 7 columns on your table and 6 or 8 in your query, you will get this error. Safest bet is to do an insert like this:

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
INSERT INTO tblname (column1, column2, column3.....) VALUES (value1, value2, value3.....)
INSERT INTO tblname (column1, column2, column3.....) VALUES (value1, value2, value3.....)

Those should be your only two problems. Have you attempted to use parameters instead of direct inserts? It will help reduce errors ten fold.

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
Add = "INSERT INTO tblname (column1, column2, column3, ....) VALUES (?, ?, ?, ....)"
cmd.Parameters.AddWithValue( "?ColumnName", value )
Add = "INSERT INTO tblname (column1, column2, column3, ....) VALUES (?, ?, ?, ....)"
cmd.Parameters.AddWithValue( "?ColumnName", value )

•

Join Date: Apr 2005

Posts: 129

Reputation: some one is an unknown quantity at this point

Solved Threads: 0

some one

Offline

Junior Poster

Re: need some help in my code please

Jan 17th, 2008

still did not work
how can I use the parameter if you do not mind can I attach the whole program our p[roject is about online order resturant

Attached Files

WebSite2.zip (686.9 KB, 2 views)

•

Join Date: Apr 2005

Posts: 129

Reputation: some one is an unknown quantity at this point

Solved Threads: 0

some one

Offline

Junior Poster

Re: need some help in my code please

Jan 17th, 2008

still did not work
how can I use the parameter if you do not mind can I attach the whole program
we are supposed to make an online order resturant
thanks

Attached Files

WebSite2.zip (686.9 KB, 0 views)

•

Join Date: Sep 2007

Posts: 1,080

Reputation: SheSaidImaPregy is an unknown quantity at this point

Solved Threads: 68

SheSaidImaPregy SheSaidImaPregy is offline

Offline

Veteran Poster

Re: need some help in my code please

Jan 17th, 2008

I am actually at work so I can't use the files anyway.

I gave you an example on how to use the parameters. It's quite simple.

 Help with Code Tags 
 ASP.NET Syntax (Toggle Plain Text) 
Add = "INSERT INTO tblname (column1, column2, column3, ....) VALUES (?, ?, ?, ....)"
cmd.Parameters.AddWithValue( "?Column1", value1 )
cmd.Parameters.AddWithValue( "?Column2", value2 )
cmd.Parameters.AddWithValue( "?Column3", value3 )
Add = "INSERT INTO tblname (column1, column2, column3, ....) VALUES (?, ?, ?, ....)"
cmd.Parameters.AddWithValue( "?Column1", value1 )
cmd.Parameters.AddWithValue( "?Column2", value2 )
cmd.Parameters.AddWithValue( "?Column3", value3 )

Do that for each parameter you have. THey must be in the same order as your SQL statement.