Home User: Win 7(64 bit) VBExpress 2010: Parsing Error

  • kenkob

    Mr or Mrs. 500

    Points: 532

    The following error is reported when I attempt to edit a record and then click on save to save the changes:

    There was an error parsing the query. [Token line number = 1, Token line ofset = 38, Token in error = /]

    This is the button Save code:

    Private Sub btnSave_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnSave.Click

    Select Case state

    Case "n"

    If txtFName.Text = "" Then

    MsgBox("Name Cannot be null", , "My Telephone Book")

    Else

    Try

    Using conn = New SqlCeConnection(connString)

    Using cmd = New SqlCeCommand

    cmd.Connection = conn

    cmd.CommandText = "INSERT INTO Persons (" & _

    "Fullname, " &

    "DoB, " &

    "DoM, " &

    "MPhone, " &

    "EMail, " &

    "Notes, " &

    "AddressID) " &

    "VALUES " &

    "(?,?,?,?,?,?,?)"

    With cmd.Parameters.Add("FullName", Me.txtFName.Text)

    cmd.Parameters.Add("DoB", Me.dtpDoB.Value)

    cmd.Parameters.Add("Dom", Me.dtpDoM.Value)

    cmd.Parameters.Add("MPhone", Me.txtMPhone.Text)

    cmd.Parameters.Add("EMail", Me.txtEMail.Text)

    cmd.Parameters.Add("Notes", Me.txtNotes.Text)

    cmd.Parameters.Add("AddressID", Me.txtAddressID.Text)

    End With

    conn.Open()

    cmd.ExecuteNonQuery()

    End Using

    End Using

    MsgBox("Record Saved", , "My Telephone Book")

    Catch sqlex As SqlCeException

    Dim sqlError As SqlCeError

    For Each sqlError In sqlex.Errors

    MessageBox.Show(sqlError.Message)

    Next

    Catch ex As Exception

    MsgBox("Error Saving Record", , "My Telephone Book")

    Finally

    conn.Close()

    End Try

    End If

    Case "u"

    If txtFName.Text = "" Then

    MsgBox("Full Name cannot be empty", "My Telephone Book")

    Else

    Try

    conn.Open()

    Dim cmd As SqlCeCommand = conn.CreateCommand

    'This is I believe is the Error line below

    cmd.CommandText = "UPDATE Persons SET FullName" & txtFName.Text &

    "DoB" & dtpDoB.Value &

    "DoM" & dtpDoM.Value &

    "MPhone" & txtMPhone.Text &

    "EMail" & txtEMail.Text &

    "Notes" & txtNotes.Text &

    "FROM Persons WHERE PersonID = " & lstPersonID.Text

    cmd.ExecuteNonQuery()

    MsgBox("Record Updated", , "My Telephone Book")

    conn.Close()

    Call FillList()

    Catch sqlex As SqlCeException

    Dim sqlError As SqlCeError

    For Each sqlError In sqlex.Errors

    MessageBox.Show(sqlError.Message)

    Next

    Catch ex As Exception

    'MsgBox("Error Updating Record", , "My Telephone Book")

    MessageBox.Show(ex.Message)

    Finally

    conn.Close()

    End Try

    End If

    End Select

    sql = "SELECT * FROM Persons ORDER BY FullName"

    Call FillList()

    txtFind.Clear()

    txtFName.Focus()

    End Sub

    Any help will be greatly appreciated as i've spent all day attempting to resolve this error.

  • Jack Corbett

    SSC Guru

    Points: 184296

    I'm going to make a couple of comments.

    1. Concatenating text to create a SQL Statement in the application leaves your application vulnerable to SQL Injection. You should search for SQL Injection and code to avoid it.

    2. In your UPDATE statement you need to do "SET column = " and I don't see any "=" signs in the UPDATE.

    3. You also need to make sure you are wrapping string values in single-quotes so your code should be like this:

    SQL = "Update table SET column = '" & control.Text & "' WHERE ID=" & IDControl.Text

    I'm assuming the ID column is a numeric column.


    Jack Corbett Consultant Straight Path Solutions Dont let the good be the enemy of the best. -- Paul FlemingAt best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at workCheck out these links on how to get faster and more accurate answers: Forum Etiquette: How to post data/code on a forum to get the best helpNeed an Answer? Actually, No ... You Need a QuestionHow to Post Performance Problems[/url]Crosstabs and Pivots or How to turn rows into columns Part 1[/url][url url=http://www.sqlservercent

  • kenkob

    Mr or Mrs. 500

    Points: 532

    T.hank you kindly for your response, Yes, the "ID" field is numeric. I will read up on SQL Injection.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply