Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Update table on AS400 from vb.net app

Posted on 2007-11-14
7
Medium Priority
?
1,346 Views
Last Modified: 2013-11-26
I am using the iDB2Connection.  Here is my code:
Private Sub btnUpdate1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate1.Click
        Dim cn As iDB2Connection = New iDB2Connection("User ID=me;Password=me;Data Source=10.1.1.999;Connection Timeout = 0")
        Dim cmd As iDB2Command
        Dim sqlstring As String
                     
        sqlstring = "insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (" & txtName.Text & ", " & txtAddress.Text & ", " & txtCity.Text & ", " & txtState.Text & ", " & txtZip.Text & ")"

        Dim da As New iDB2DataAdapter(sqlstring, cn)
        'Dim ds As New DataSet("Airbill")

        'Open connection
        cn.Open()
        cmd = New iDB2Command(sqlstring, cn)
        cmd.ExecuteNonQuery()

        cn.Close()

    End Sub

Now when I run this and put in numeric data, it works fine, when I put in alphanumeric I get this error:
SQL0206 Column (whatever letter I put in the txtaddress.text) not in specified tables, but like I said numbers work fine.  Why would it see the text in my textbox as the column name?  The type in the fields of the table on the AS400 are set to Alpha except for the first textbox.  Thanks

0
Comment
Question by:bergertime
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Dave Ford
ID: 20281984

You probably need to enclose your text in single quotes.

At the point of exceuting the query, what (exactly) is the value of sqlstring? (the working one AND the non-working one)

- DaveSlash
0
 
LVL 3

Expert Comment

by:WaldenL
ID: 20282000
>Why would it see the text in my textbox as the column name?
Because you aren't quoting the data. Play it out as if you were the program, given your sql string, you'd end up with:

insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (122, Main st, Anytown, NY, 11111)

When what you want is:

insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (122, 'Main st', 'Anytown', 'NY', '11111')

HOWEVER, be very careful. In the example you've provided you're wide open to a SQL injection attack. Ask yourself this question, what happens if I, the user, put this into the txtAddress box:

';delete * from table;'

You'll string that right into the test and end up with a sql statement that drops a table. You should be using parameters for this operation.
0
 
LVL 2

Author Comment

by:bergertime
ID: 20282059
'You should be using parameters for this operation.'

How would I do that in the above example?
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 3

Expert Comment

by:WaldenL
ID: 20282111
Something to the effect of:

Private Sub btnUpdate1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate1.Click
      Dim cn As iDB2Connection = New iDB2Connection("User ID=me;Password=me;Data Source=10.1.1.999;Connection Timeout = 0")
      Dim cmd As iDB2Command
      Dim sqlstring As String
                     
      sqlstring = "insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (@Acct, @Nam1, @Nam2, @Add1, @City)"

      'Open connection
      cn.Open()
      cmd = cn.CreateCommand()
      cmd.CommandText = sql
      cmd.Prepare()

      cmd.Parameters("@Acct").Value =  txtName.Text
      cmd.Parameters("@Nam1").Value =  txtAddress.Text
      cmd.Parameters("@Nam2").Value = txtCity.Text
      '... set rest of parms

      cmd.ExecuteNonQuery()

      cn.Close()

End Sub

No probmises on the VB syntax, but it's close enough.

And before someone points out that the prepare() is a waste of a trip to the DB, IBM will do the prepare if you haven't, so you might as well take advantage of it.
0
 
LVL 2

Author Comment

by:bergertime
ID: 20282198
Thanks so much, you have answered my question, but if I might get two points a little more clear,  how does the parameters prevent the SQL injection attack?  And I'm not sure what you meant by 'the prepare() is a waste of a trip to the DB'....I didn't have it in my code, should I have it?
0
 
LVL 3

Accepted Solution

by:
WaldenL earned 2000 total points
ID: 20282242
By using parameters the 400 knows that each of the values are _values_ and not part of the string, therefore if you have a ;drop... in the value it will simply be interted into the row as text, also solves the problem of having to double single quotes in names like O'Conner.

As for prepare, it was in my example. It tells the ADO.Net to go ask the server to prepare the statement (sql-speak), and to determine the parameters and types in the sql statement passed. I used it so the Parameters collection would be populated.

To do the "prepare" there's a round-trip to the server. On other DBMSs, if you don't call prepare you'll avoid that round-trip, but in the case of the IBM provider, they do the round-trip no matter what, so you might as well use it to populate the parameters collection.

-Walden
0
 
LVL 2

Author Comment

by:bergertime
ID: 20282271
Thank you so much, I'm not sure if I've ever had an answer that was this clear.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It seems a simple enough task, yet I see repeated questions asking how to do it: how to pass data between two forms. In this article, I will show you the different mechanisms available for you to do just that. This article is directed towards the .N…
This article describes relatively difficult and non-obvious issues that are likely to arise when creating COM class in Visual Studio and deploying it by professional MSI-authoring tools. It is assumed that the reader is already familiar with the cla…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question