Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

QUERY WILL NOT WORK DIFFERENT ERROR EACH TIME

I can't get this sql query to load the datagridview.First off I have a table called nflplayerspass it has the most important field called Season with this I can filter a season Now look
season errorIn SQLEXPRESS MANAGEMENT Studio I can write queries no problem However when I load my query I get ambitious column Season so If I takeaway season from the query and combobox I can retrieve data. I am angry and frustrated How can Season be in database but in my winform I can't pull any data based on year Without Season(year) I'm dead in the water Here is queryMaybe I missed something.  
Here is the code
 Public Sub GetpassingNfl()

        Dim ds As New DataSet

        Dim SelectCommand As New SqlCommand

        connetionString = "Data Source=tsnappdev01;Initial Catalog=TSN2;User ID=sa;Password=sportsrus"
        connection = New SqlConnection(connetionString)

        sql = " Select PK_NFLPLAYERSPASS,np.FirstName,np.LastName, t.Fullname,np.PlayerID,np.TeamID, npp.SeasonType,npp.Season,npp.Conference,npp.Att,npp.Comp,npp.Yards,npp.Long,npp.TD,npp.Inter,npp.Sacks,npp.SKYds,npp.Rating FROM NFLPlayersPass npp "
        sql += " join NflPlayers np on np.PlayerID = npp.PlayerID join Teams t on t.TeamID = npp.team WHERE"
        sql += " npp.Season = " & cmbseason.SelectedText & "Order By np.Lastname"

       
        If cmbseason.Text = "" Then
            Exit Sub
        End If
        

        connection = New SqlConnection(connetionString)

        Try

            connection.Open()
            adapter = New SqlDataAdapter(sql, connection)
            adapter.Fill(ds)
            connection.Close()
            dvgPass.DataSource = ds.Tables(0)

        Catch ex As Exception
            MsgBox(ex.ToString)
        End Try


        
        Me.dvgPass.RowsDefaultCellStyle.BackColor = Color.Bisque
        Me.dvgPass.AlternatingRowsDefaultCellStyle.BackColor = Color.Beige
        dvgPass.ColumnHeadersHeight = 55
        dvgPass.ColumnHeadersHeightSizeMode = DataGridViewColumnHeadersHeightSizeMode.AutoSize
       

        Me.dvgPass.RowsDefaultCellStyle.BackColor = Color.Bisque
        Me.dvgPass.AlternatingRowsDefaultCellStyle.BackColor = Color.Beige
        dvgPass.ColumnHeadersHeight = 55
        dvgPass.ColumnHeadersHeightSizeMode = DataGridViewColumnHeadersHeightSizeMode.AutoSize
        ' Add the image column to the grid.
        ' DataGridView1.Columns.Add(imageCol)

        dvgPass.Columns("Lastname").Frozen = True

    End Sub

Open in new window



Latest error then what app such do I'm not a great DB Person learning

latest errror
vbnet app
0
powerztom
Asked:
powerztom
  • 2
1 Solution
 
ste5anSenior DeveloperCommented:
The problem is will be obvious when you use MessageBox.Show(sql) before you use the variable sql with the adapter. There IS e.g. a space missing before ORDER BY. You can use ctrl-c to copy the message box output to test it in SSMS.
0
 
rawinnlnx9Commented:
 sql = " Select PK_NFLPLAYERSPASS,np.FirstName,np.LastName, t.Fullname,np.PlayerID,np.TeamID, npp.SeasonType,npp.Season,npp.Conference,npp.Att,npp.Comp,npp.Yards,npp.Long,npp.TD,npp.Inter,npp.Sacks,npp.SKYds,npp.Rating FROM NFLPlayersPass npp "
        sql += " join NflPlayers np on np.PlayerID = npp.PlayerID join Teams t on t.TeamID = npp.team WHERE"
        sql += " npp.Season = '" & cmbseason.SelectedText & "' Order By np.Lastname"

Open in new window


You have to use the debugger to see what's in sql before you send it. If you look at that you'll see that your SQL lacks white space and the single quotes necessary to indicate the data value.

You have to use escape characters at times or get familiar with using the @ when concattenating strings.

sql += npp.Season & "='" & cmbseason.SelectedText & "' Order By " & np.Lastname 

Open in new window

 

Hover the cursor over sql once you step over that last += and then copy your entire SQL text out of the debugger. Or in the immediate window type "sql" and hit enter. To get the contents. Either way your concatenation is terrible.

Not only that this SQL screams SQL Injection. This is not how you get data. You build stored procedures and pass the data as parameters and you enforce length.


Below is an example of how you do this correctly. You will see that length is enforced I would also suggest you look into properly encoding string types for use in queries, html, etc...

SqlCommand scCommand = new SqlCommand("usp_CheckEmailMobile", sqlCon);
scCommand.CommandType = CommandType.StoredProcedure;
scCommand.Parameters.Add("@Name", SqlDbType.VarChar, 50).Value = txtName.Text;
scCommand.Parameters.Add("@Email", SqlDbType.NVarChar, 50).Value = txtEmailAddress.Text;
scCommand.Parameters.Add("@Password ", SqlDbType.NVarChar, 50).Value = txtPassword.Text;
scCommand.Parameters.Add("@CountryCode", SqlDbType.VarChar.50).Value =ddlCountryCode.SelectedText;
scCommand.Parameters.Add("@Mobile", SqlDbType.NVarChar, 50).Value = txtMobileNumber.Text;
scCommand.Parameters.Add("@Result ", SqlDbType.Bit).Direction = ParameterDirection.Output;
try

Open in new window

0
 
powerztomAuthor Commented:
Dude awesome debugging trick I never used messagebox to see what I was missing.Thank You
0
 
powerztomAuthor Commented:
rawinnlnx9 thanks for the tips.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now