0

hai! I am new to visual studio 2010. I am trying to develop a miniproject related on atm.
But I have syntax error(missing operator) in query expression on 'Accountnumber=and PIN='. are you help me to correct this error? My coding is,

op = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = F:\atm1.mdb")
op.Open()
cd = New OleDbCommand("select * from Table1 where Accountnumber=" + TextBox1.Text + "and PIN=" + TextBox2.Text + " ", op) dr = cd.ExecuteReader()
3
Contributors
3
Replies
7
Views
5 Years
Discussion Span
Last Post by __avd
0

Add blank (space) between two verbs.

Here is an issue: TextBox1.Text + "and PIN="

Never use hardcoded sql string. Use Parameterized query to prevent SQL Injection. (Just Googled the SQL Injection).

op = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = F:\atm1.mdb")
cd = New OleDbCommand("select * from Table1 where Accountnumber=@acno and PIN=@pin",op)
cd.Parameters.AddWithValue("@acno", TextBox1.Text)
cd.Parameters.AddWithValue("@pin",TextBox2.Text)

op.Open()
Dim dr as OleDbDataReader=cd.ExecuteReader()
...
dr.Close()
op.Close()
0
"SELECT * FROM Table1 WHERE Accountnumber=" & TextBox1.Text & " AND PIN=" & TextBox2.Text & ""

Assuming that account number and pin is ONLY an integer (number) and contains no text... If it does contain text ....

"SELECT * FROM Table1 WHERE Accountnumber='" & TextBox1.Text & "' AND PIN='" & TextBox2.Text & "'"

Edited by AndreRet

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.