May 9, 2014 at 9:29 am
sir
i am new bie and learning by using sql server compact edition
i am trying to query using dynamic query system
my query is
Dim adapterloadIP As New SqlDataAdapter("SELECT IP_Addr FROM IPPOOL WHERE ZoneName " & ZoneSearch & " AND UserName IS NULL", con)
and getting this error
An expression of non Boolean type specified in a context where a condition is expected
sir
please tell me where is am making mistake and how will be it solved
thanks
May 9, 2014 at 9:35 am
What is the value of ZoneSearch?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 9, 2014 at 9:52 am
Try adding an equals sign at the end of the first string.
May 9, 2014 at 10:08 am
ZoneSearch is a variable and it contain a zone name selected form the combo box items
here it is "City"
May 9, 2014 at 10:15 am
mkkb917 (5/9/2014)
ZoneSearch is a variable and it contain a zone name selected form the combo box itemshere it is "City"
don't you have to put singe quotes in there too, besides the missing equals sign?
'"SELECT IP_Addr FROM IPPOOL WHERE ZoneName = 'Miami' AND UserName IS NULL"
Dim adapterloadIP As New SqlDataAdapter("SELECT IP_Addr FROM IPPOOL WHERE ZoneName = '" & ZoneSearch & "' AND UserName IS NULL", con)
Lowell
May 9, 2014 at 12:59 pm
What would happen if someone sets the value of ZoneName to
'; DELETE TABLE IPPOOL;
Don't try this on a production environment.
You might want to read about SQL Injection to prevent this and remember to use only parametrized queries. 😉
May 9, 2014 at 1:34 pm
Luis Cazares (5/9/2014)
What would happen if someone sets the value of ZoneName to
'; DELETE TABLE IPPOOL;Don't try this on a production environment.
You might want to read about SQL Injection to prevent this and remember to use only parametrized queries. 😉
You beat me to it! I was just going to suggest using the SqlParameter class instead of a direct string build. Same reason: injection nightmare
May 9, 2014 at 3:39 pm
mkkb917 (5/9/2014)
ZoneSearch is a variable and it contain a zone name selected form the combo box itemshere it is "City"
So the resultant dynamic query will read:
SELECT IP_Addr FROM IPPOOL
WHERE ZoneName City
AND UserName IS NULL
Hence the error you're getting.
You really should parameterise that query.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
May 10, 2014 at 4:29 am
sir
i have to use parameterized sql query as on running the user will select the zone and then he will able to see the ippool of that selected zone
May 10, 2014 at 2:34 pm
On page 2 of this thread, Sean Lange gives a simple example of dynamic SQL (vulnerable to sql injection), and a parameterized version of the same code.
http://www.sqlservercentral.com/Forums/Topic1566653-392-2.aspx
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply