0

My query on two different tables user table and zone table is creating a problem:

cmd.CommandText = "SELECT  zone_name, zone_difference FROM user_master INNER JOIN zones on user_master.zone_id = zones.ID WHERE user_master.uname LIKE " & """" & usr_gl & """"

Dim reader_q As OleDbDataReader

reader_q = cmd.ExecuteReader()

Here, zone name and difference are from zones table and zone_id (from customer) and ID (zones) are in relation, Also user name (uname) is coming from outside as usr_gl variable for e.g. "admin"

It is saying No value given for one or two parameters. I checked all the table columns and data. The same query is running independently from Access database.

Is there anything wrong i am executing here?

Prasad Dixit
  • 31
  • 1
  • 9
  • Maybe the runtime value of `usr_gl` is injecting a parameter syntax element into the query and confusing the query parser? Using string concatenation like that for building database queries is pretty dangerous, even if you think you have control over the input values. Does the problem persist if you fix the SQL injection vulnerability and use parameterized queries? – David May 14 '13 at 12:23

1 Answers1

0

Yes, you are trying to concatenate strings and this is a NO-NO in code

cmd.CommandText = "SELECT  zone_name, zone_difference FROM " & _
                  "user_master INNER JOIN zones on user_master.zone_id = zones.ID " & _
                  "WHERE user_master.uname LIKE ?"

cmd.Parameters.AddWithValue("@p1", usr_gl)
Dim reader_q As OleDbDataReader
reader_q = cmd.ExecuteReader()

String concatenation is considered a bad practice because many problems could arise with that Correct string formatting (with quotes, decimals, dates) is the first problem but the Sql Injection is the worst of all. Using Parametrized queries should avoid all of those problems

Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286