0

I'm having a problem from the line

da.Fill(ds, "Employee")

and I don't have any clue to solve this. Can anyone help?

This is my actual code:

 Private Sub btnsearch_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnsearch.Click
    Dim da As New SqlClient.SqlDataAdapter
    Dim ds As New DataSet
    Dim dt As New DataTable


    If txtssn.Text = "" Then
        MsgBox("Please input SSN.", MsgBoxStyle.Exclamation, "Company Records - Employee")
    Else
        con.Open()
        Dim cmd As New SqlCommand("SELECT * FROM [Employee] WHERE [Ssn] = '" & Trim(Me.txtssn.Text) & "')", con)

        da.SelectCommand = cmd

        da.Fill(ds, "Employee")
        dt = ds.Tables("Employee")

        If (dt.Rows.Count > 0) Then
            Me.txtfname.Text = dt.Rows(0).Item(1)
            Me.txtmi.Text = dt.Rows(0).Item(2)
            Me.txtlname.Text = dt.Rows(0).Item(3)
            Me.dtpbdate.Text = dt.Rows(0).Item(5)
            Me.txtaddress.Text = dt.Rows(0).Item(6)
            Me.cmbsex.Text = dt.Rows(0).Item(7)
            Me.txtsalary.Text = dt.Rows(0).Item(8)
            Me.cmbsuperssn.Text = dt.Rows(0).Item(9)
            'Me.cmbdept.Text =
            btnedit.Enabled = True
            btndelete.Enabled = True
            editable()

        Else
            MsgBox("Record Not Found", MsgBoxStyle.Information + MsgBoxStyle.OkOnly, "Company Records - Employee")
        End If

        con.Close()
    End If
user3744076
  • 127
  • 6
  • 15
  • 1
    The devil in me says: Type `';DROP TABLE Employee;--` , but I prefer to say: Read about Sql Injection – Steve Oct 06 '14 at 07:25

3 Answers3

2

Remove the closing parantheses since that's a SELECT not an INSERT:

"SELECT * FROM [Employee] WHERE [Ssn] = '" & Trim(Me.txtssn.Text) & "'"

However, i would always use sql-parameters to prevent sql-injection.

Using con As New SqlConnection("ConenctionString")
    Using da As New SqlDataAdapter("SELECT * FROM [Employee] WHERE [Ssn] = @SSN", con)
        da.SelectCommand.Parameters.Add("@SSN", SqlDbType.VarChar).Value = txtssn.Text
        da.Fill(ds, "Employee")
    End Using
End Using
Tim Schmelter
  • 450,073
  • 74
  • 686
  • 939
1

Remove the trailing ) from your SQL statement.

"SELECT * FROM [Employee] WHERE [Ssn] = '" & Trim(Me.txtssn.Text) & "'"

Also see why you shouldn't be doing it in the first place.

Community
  • 1
  • 1
GSerg
  • 76,472
  • 17
  • 159
  • 346
1

Their is syntax error near your SQLstatement so you need to remove an unwanted ( to make this statement workable. 

 Dim cmd As New SqlCommand("SELECT * FROM [Employee] WHERE [Ssn] = '" & Trim(Me.txtssn.Text) & "'", con)