sql command

  • sir

    i am new bie and learning by using sql server compact edition

    i am trying to query using dynamic query system

    my query is

    Dim adapterloadIP As New SqlDataAdapter("SELECT IP_Addr FROM IPPOOL WHERE ZoneName " & ZoneSearch & " AND UserName IS NULL", con)

    and getting this error

    An expression of non Boolean type specified in a context where a condition is expected

    sir

    please tell me where is am making mistake and how will be it solved

    thanks

  • What is the value of ZoneSearch?

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Try adding an equals sign at the end of the first string.

  • ZoneSearch is a variable and it contain a zone name selected form the combo box items

    here it is "City"

  • mkkb917 (5/9/2014)


    ZoneSearch is a variable and it contain a zone name selected form the combo box items

    here it is "City"

    don't you have to put singe quotes in there too, besides the missing equals sign?

    '"SELECT IP_Addr FROM IPPOOL WHERE ZoneName = 'Miami' AND UserName IS NULL"

    Dim adapterloadIP As New SqlDataAdapter("SELECT IP_Addr FROM IPPOOL WHERE ZoneName = '" & ZoneSearch & "' AND UserName IS NULL", con)

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • What would happen if someone sets the value of ZoneName to

    '; DELETE TABLE IPPOOL;

    Don't try this on a production environment.

    You might want to read about SQL Injection to prevent this and remember to use only parametrized queries. 😉

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2
  • Luis Cazares (5/9/2014)


    What would happen if someone sets the value of ZoneName to

    '; DELETE TABLE IPPOOL;

    Don't try this on a production environment.

    You might want to read about SQL Injection to prevent this and remember to use only parametrized queries. 😉

    You beat me to it! I was just going to suggest using the SqlParameter class instead of a direct string build. Same reason: injection nightmare

  • mkkb917 (5/9/2014)


    ZoneSearch is a variable and it contain a zone name selected form the combo box items

    here it is "City"

    So the resultant dynamic query will read:

    SELECT IP_Addr FROM IPPOOL

    WHERE ZoneName City

    AND UserName IS NULL

    Hence the error you're getting.

    You really should parameterise that query.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • sir

    i have to use parameterized sql query as on running the user will select the zone and then he will able to see the ippool of that selected zone

  • On page 2 of this thread, Sean Lange gives a simple example of dynamic SQL (vulnerable to sql injection), and a parameterized version of the same code.

    http://www.sqlservercentral.com/Forums/Topic1566653-392-2.aspx

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply