Home User: Win 7(64 bit) VBExpress 2010: Parsing Error

  • The following error is reported when I attempt to edit a record and then click on save to save the changes:

    There was an error parsing the query. [Token line number = 1, Token line ofset = 38, Token in error = /]

    This is the button Save code:

    Private Sub btnSave_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnSave.Click

    Select Case state

    Case "n"

    If txtFName.Text = "" Then

    MsgBox("Name Cannot be null", , "My Telephone Book")

    Else

    Try

    Using conn = New SqlCeConnection(connString)

    Using cmd = New SqlCeCommand

    cmd.Connection = conn

    cmd.CommandText = "INSERT INTO Persons (" & _

    "Fullname, " &

    "DoB, " &

    "DoM, " &

    "MPhone, " &

    "EMail, " &

    "Notes, " &

    "AddressID) " &

    "VALUES " &

    "(?,?,?,?,?,?,?)"

    With cmd.Parameters.Add("FullName", Me.txtFName.Text)

    cmd.Parameters.Add("DoB", Me.dtpDoB.Value)

    cmd.Parameters.Add("Dom", Me.dtpDoM.Value)

    cmd.Parameters.Add("MPhone", Me.txtMPhone.Text)

    cmd.Parameters.Add("EMail", Me.txtEMail.Text)

    cmd.Parameters.Add("Notes", Me.txtNotes.Text)

    cmd.Parameters.Add("AddressID", Me.txtAddressID.Text)

    End With

    conn.Open()

    cmd.ExecuteNonQuery()

    End Using

    End Using

    MsgBox("Record Saved", , "My Telephone Book")

    Catch sqlex As SqlCeException

    Dim sqlError As SqlCeError

    For Each sqlError In sqlex.Errors

    MessageBox.Show(sqlError.Message)

    Next

    Catch ex As Exception

    MsgBox("Error Saving Record", , "My Telephone Book")

    Finally

    conn.Close()

    End Try

    End If

    Case "u"

    If txtFName.Text = "" Then

    MsgBox("Full Name cannot be empty", "My Telephone Book")

    Else

    Try

    conn.Open()

    Dim cmd As SqlCeCommand = conn.CreateCommand

    'This is I believe is the Error line below

    cmd.CommandText = "UPDATE Persons SET FullName" & txtFName.Text &

    "DoB" & dtpDoB.Value &

    "DoM" & dtpDoM.Value &

    "MPhone" & txtMPhone.Text &

    "EMail" & txtEMail.Text &

    "Notes" & txtNotes.Text &

    "FROM Persons WHERE PersonID = " & lstPersonID.Text

    cmd.ExecuteNonQuery()

    MsgBox("Record Updated", , "My Telephone Book")

    conn.Close()

    Call FillList()

    Catch sqlex As SqlCeException

    Dim sqlError As SqlCeError

    For Each sqlError In sqlex.Errors

    MessageBox.Show(sqlError.Message)

    Next

    Catch ex As Exception

    'MsgBox("Error Updating Record", , "My Telephone Book")

    MessageBox.Show(ex.Message)

    Finally

    conn.Close()

    End Try

    End If

    End Select

    sql = "SELECT * FROM Persons ORDER BY FullName"

    Call FillList()

    txtFind.Clear()

    txtFName.Focus()

    End Sub

    Any help will be greatly appreciated as i've spent all day attempting to resolve this error.

  • I'm going to make a couple of comments.

    1. Concatenating text to create a SQL Statement in the application leaves your application vulnerable to SQL Injection. You should search for SQL Injection and code to avoid it.

    2. In your UPDATE statement you need to do "SET column = " and I don't see any "=" signs in the UPDATE.

    3. You also need to make sure you are wrapping string values in single-quotes so your code should be like this:

    SQL = "Update table SET column = '" & control.Text & "' WHERE ID=" & IDControl.Text

    I'm assuming the ID column is a numeric column.

  • T.hank you kindly for your response, Yes, the "ID" field is numeric. I will read up on SQL Injection.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply