operator use for a combo box in vb.net

Question

this years is a sample of combo box. what should i do for this to have not error?`

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles save.Click
        Dim genderval As String
        Dim birthdate As String
        birthdate = bday.Value.ToString()
        If babae.Checked = True Then
            genderval = "Female"
        Else
            genderval = "Male"
        End If
        query = "insert into studentinfo(Lastname,Firstname,middlename,birthdate,gender,age,studentyear,username,accountpassword,confirmpassword) values('" & familynem.Text & "','" & givennem.Text & "','" & middlenem.Text & "','" & birthdate & "','" & genderval & "','" & Edaad.Text & "','" *years* "','" & usename.Text & "','" & accpass.Text & "','" & confirmpass.Text & "')"
        con.Open()
        cmd = New SqlCommand(query, con)
        cmd.ExecuteNonQuery()
        con.Close()
        dataReload()
        user.Show()
        Me.Hide()


    End Sub
End Class

from this *years* "','" & usename.Text & "','" & accpass.Text & "','" & confirmpass.Text & "')" there are blue marks which means error right? — user3428268, Mar 17 '14 at 11:02
The first thing you should do, right now, is read about SQL Injection attacks. — Martin Milan, Mar 17 '14 at 11:09

score 0 · Answer 1 · answered Mar 17 '14 at 11:05

You need to access ComboBox by it's properties and not Directly

Use Years.Text or Years.SelectedValue instead of Years

Try this

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles save.Click
        Dim genderval As String
        Dim birthdate As String
        birthdate = bday.Value.ToString()
        If babae.Checked = True Then
            genderval = "Female"
        Else
            genderval = "Male"
        End If
        query = "insert into studentinfo(Lastname,Firstname,middlename,birthdate,gender,age,studentyear,username,accountpassword,confirmpassword) values('" & familynem.Text & "','" & givennem.Text & "','" & middlenem.Text & "','" & birthdate & "','" & genderval & "','" & Edaad.Text & "','" Years.Text "','" & usename.Text & "','" & accpass.Text & "','" & confirmpass.Text & "')"
        con.Open()
        cmd = New SqlCommand(query, con)
        cmd.ExecuteNonQuery()
        con.Close()
        dataReload()
        user.Show()
        Me.Hide()
    End Sub
End Class

wait@vignesh kumar.. why years haven't insert data to studentyear — user3428268, Mar 17 '14 at 11:47

score 0 · Answer 2 · edited May 23 '17 at 10:31

0

This kind of errors are common when you use a concatenation string. Somewhere one or more of your strings value contains an invalid character that breaks the syntax of the sql command. For example, if one of your textboxes contains a single quote, the resulting query text would be invalid. Also, it is not clear what is years. If it is a combobox then you need to extract its value through the property Text (or SelectedValue, or SelectedItem). Another thing to be aware of is the matching between the parameters value and the underlying column datatype. They should be the same, so for integers fields you need to add a conversion from the textbox text (Age?)

The answer as usual are parameterized queries that remove this kind of errors and the Sql Injection vulnerability

query = "insert into studentinfo " & _ 
        "(Lastname,Firstname,middlename,birthdate,gender,age," & _
        "studentyear,username,accountpassword,confirmpassword) " & _
        "values(@family,@given,@mname,@dob,@gender,@eda,@years,@uname,@pwd,@cpwd)"

con.Open()
// cmd = New SqlCommand(query, con)
cmd = new MySqlCommand(query, con)
cmd.Parameters.AddWithValue("@family",familynem.Text)
cmd.Parameters.AddWithValue("@given",givennem.Text)
cmd.Parameters.AddWithValue("@mname",middlenem.Text )
cmd.Parameters.AddWithValue("@dob",birthdate)
cmd.Parameters.AddWithValue("@gender",genderval )
cmd.Parameters.AddWithValue("@eda",Edaad.Text) ' or Convert.ToInt32(Edaad.Text)
cmd.Parameters.AddWithValue("@years",years.Text)
cmd.Parameters.AddWithValue("@uname",usename.Text )
cmd.Parameters.AddWithValue("@pwd",accpass.Text )
cmd.Parameters.AddWithValue("@cpwd",confirmpass.Text )
cmd.ExecuteNonQuery()

By the way, you have tagged this question with MySql but you are using a SqlCommand. What is the right database to use?

edited May 23 '17 at 10:31

Community

1
1

answered Mar 17 '14 at 11:08

Steve

213,761
22
232
286

uhmm i try to use your given code but this message appear "No mapping exists from object type System.Windows.Forms.ComboBox to a known managed provider native type." – user3428268 Mar 17 '14 at 11:17
So Years is the name of the combobox, then you pass the value years.Text – Steve Mar 17 '14 at 11:19
But as stated above. If the fields are numeric (Age, StudentYear) then the value passed in the AddWithValue should be converted to the correct datatype (Convert.ToInt32(years.Text)) – Steve Mar 17 '14 at 11:22
yes years was the name of combo box that address to studentyear. – user3428268 Mar 17 '14 at 11:32
what is the right declaration of this cmd.Parameters.AddWithValue("@eda",Edaad.Text) ' or Convert.ToInt32(Edaad.Text) – user3428268 Mar 17 '14 at 11:52
what is the right declaration of this cmd.Parameters.AddWithValue("@eda",Edaad.Text) ' or Convert.ToInt32(Edaad.Text) – user3428268 Mar 17 '14 at 11:59
It depends on the datatable field named `Age`. If it is a field with numeric type (integer, long, tinyint etc) then you need to pass an integer in the AddWithValue not a string (Edaad.Text is a string) thus the conversion – Steve Mar 17 '14 at 12:16
years was a combo box.. and then i dont know how use it.. my problem is only in the years – user3428268 Mar 17 '14 at 12:29

operator use for a combo box in vb.net

2 Answers2