Member Avatar for suji.karthik.3

hai! I am new to visual studio 2010. I am trying to develop a miniproject related on atm.
But I have syntax error(missing operator) in query expression on 'Accountnumber=and PIN='. are you help me to correct this error? My coding is,

op = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = F:\atm1.mdb")
op.Open()
cd = New OleDbCommand("select * from Table1 where Accountnumber=" + TextBox1.Text + "and PIN=" + TextBox2.Text + " ", op) dr = cd.ExecuteReader()
  • 3 Contributors
  • 3 Replies
  • 364 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by kvprajapati

Recommended Answers

All 3 Replies

Member Avatar for kvprajapati

Add blank (space) between two verbs.

Here is an issue: TextBox1.Text + "and PIN="

Never use hardcoded sql string. Use Parameterized query to prevent SQL Injection. (Just Googled the SQL Injection).

op = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = F:\atm1.mdb")
cd = New OleDbCommand("select * from Table1 where Accountnumber=@acno and PIN=@pin",op)
cd.Parameters.AddWithValue("@acno", TextBox1.Text)
cd.Parameters.AddWithValue("@pin",TextBox2.Text)

op.Open()
Dim dr as OleDbDataReader=cd.ExecuteReader()
...
dr.Close()
op.Close()
Member Avatar for AndreRet 
"SELECT * FROM Table1 WHERE Accountnumber=" & TextBox1.Text & " AND PIN=" & TextBox2.Text & ""

Assuming that account number and pin is ONLY an integer (number) and contains no text... If it does contain text ....

"SELECT * FROM Table1 WHERE Accountnumber='" & TextBox1.Text & "' AND PIN='" & TextBox2.Text & "'"
Edited by AndreRet
Member Avatar for kvprajapati

What will happen when input of user in TextBox2 is either

  1. 1 or 1=1
  2. 1' or '1'='1
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.