<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2005
»
SQL Server 2005 Compact Edition
»
Home User: Win 7(64 bit) VBExpress 2010:...
Home User: Win 7(64 bit) VBExpress 2010: Parsing Error
Rate Topic
Display Mode
Topic Options
Author
Message
kenkob
kenkob
Posted Monday, March 05, 2012 1:21 PM
Grasshopper
Group: General Forum Members
Last Login: Sunday, May 13, 2012 5:31 AM
Points: 18,
Visits: 64
The following error is reported when I attempt to edit a record and then click on save to save the changes:
There was an error parsing the query. [Token line number = 1, Token line ofset = 38, Token in error = /]
This is the button Save code:
Private Sub btnSave_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnSave.Click
Select Case state
Case "n"
If txtFName.Text = "" Then
MsgBox("Name Cannot be null", , "My Telephone Book")
Else
Try
Using conn = New SqlCeConnection(connString)
Using cmd = New SqlCeCommand
cmd.Connection = conn
cmd.CommandText = "INSERT INTO Persons (" & _
"Fullname, " &
"DoB, " &
"DoM, " &
"MPhone, " &
"EMail, " &
"Notes, " &
"AddressID) " &
"VALUES " &
"(?,?,?,?,?,?,?)"
With cmd.Parameters.Add("FullName", Me.txtFName.Text)
cmd.Parameters.Add("DoB", Me.dtpDoB.Value)
cmd.Parameters.Add("Dom", Me.dtpDoM.Value)
cmd.Parameters.Add("MPhone", Me.txtMPhone.Text)
cmd.Parameters.Add("EMail", Me.txtEMail.Text)
cmd.Parameters.Add("Notes", Me.txtNotes.Text)
cmd.Parameters.Add("AddressID", Me.txtAddressID.Text)
End With
conn.Open()
cmd.ExecuteNonQuery()
End Using
End Using
MsgBox("Record Saved", , "My Telephone Book")
Catch sqlex As SqlCeException
Dim sqlError As SqlCeError
For Each sqlError In sqlex.Errors
MessageBox.Show(sqlError.Message)
Next
Catch ex As Exception
MsgBox("Error Saving Record", , "My Telephone Book")
Finally
conn.Close()
End Try
End If
Case "u"
If txtFName.Text = "" Then
MsgBox("Full Name cannot be empty", "My Telephone Book")
Else
Try
conn.Open()
Dim cmd As SqlCeCommand = conn.CreateCommand
'This is I believe is the Error line below
cmd.CommandText = "UPDATE Persons SET FullName" & txtFName.Text &
"DoB" & dtpDoB.Value &
"DoM" & dtpDoM.Value &
"MPhone" & txtMPhone.Text &
"EMail" & txtEMail.Text &
"Notes" & txtNotes.Text &
"FROM Persons WHERE PersonID = " & lstPersonID.Text
cmd.ExecuteNonQuery()
MsgBox("Record Updated", , "My Telephone Book")
conn.Close()
Call FillList()
Catch sqlex As SqlCeException
Dim sqlError As SqlCeError
For Each sqlError In sqlex.Errors
MessageBox.Show(sqlError.Message)
Next
Catch ex As Exception
'MsgBox("Error Updating Record", , "My Telephone Book")
MessageBox.Show(ex.Message)
Finally
conn.Close()
End Try
End If
End Select
sql = "SELECT * FROM Persons ORDER BY FullName"
Call FillList()
txtFind.Clear()
txtFName.Focus()
End Sub
Any help will be greatly appreciated as i've spent all day attempting to resolve this error.
Post #1261801
Jack Corbett
Jack Corbett
Posted Tuesday, March 06, 2012 7:48 AM
SSChampion
Group: General Forum Members
Last Login: Friday, May 17, 2013 12:22 PM
Points: 10,571,
Visits: 11,871
I'm going to make a couple of comments.
1. Concatenating text to create a SQL Statement in the application leaves your application vulnerable to SQL Injection. You should search for SQL Injection and code to avoid it.
2. In your UPDATE statement you need to do "SET column = " and I don't see any "=" signs in the UPDATE.
3. You also need to make sure you are wrapping string values in single-quotes so your code should be like this:
SQL = "Update table SET column = '" & control.Text & "' WHERE ID=" & IDControl.Text
I'm assuming the ID column is a numeric column.
Jack Corbett
Applications Developer
Don't let the good be the enemy of the best. --
Paul Fleming
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #1262205
kenkob
kenkob
Posted Tuesday, March 06, 2012 8:18 AM
Grasshopper
Group: General Forum Members
Last Login: Sunday, May 13, 2012 5:31 AM
Points: 18,
Visits: 64
T.hank you kindly for your response, Yes, the "ID" field is numeric. I will read up on SQL Injection.
Post #1262239
« Prev Topic
|
Next Topic »
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
