0

I am developing a program for a school project that is kind of based on the "How to Use SQL Server with VB6 (inc. select & insert)" video on Youtube.

The program looks like this:

Seach Form

Clicking a radio button enables the textbox adjacent to it and disables the rest (except for the big textbox. Then inside the Search button, the following code is embedded:

Dim aConnection As New ADODB.Connection
Dim aRecSet As New ADODB.Recordset

Private Sub cmdSearch_Click()
If txtStuNum.Enabled = True Then
    aRecSet.Open "select * from studentTable where studentNumber'" & txtDisplay.Text & "'", aConnection, adOpenKeyset
ElseIf txtName.Enabled = True Then
    aRecSet.Open "select * from studentTable where Name'" & txtDisplay.Text & "'", aConnection, adOpenKeyset
ElseIf txtGrade.Enabled = True Then
    aRecSet.Open "select * from studentTable where Grade'" & txtDisplay.Text & "'", aConnection, adOpenKeyset
ElseIf txtSection.Enabled = True Then
    aRecSet.Open "select * from studentTable where section'" & txtDisplay.Text & "'", aConnection, adOpenKeyset
End If

End Sub

And when I press the search button, this pops up: Error Message

All responses are appreciated! Thanks!

C-Pound Guru
  • 15,967
  • 6
  • 46
  • 67
Chester Tuason
  • 1
  • 1
  • 2

1 Answers1

3

You forgot the = sign, the form is:

where field = 'string'

This code is open to SQL Injection attacks, if a textbox contained a ' character bad things can happen. Use Parameter & Command objects to avoid this, See this.

Tharif
  • 13,794
  • 9
  • 55
  • 77
Alex K.
  • 171,639
  • 30
  • 264
  • 288
  • Hi, thanks for your answer! However it when I add the "=", it still shows the same error. And about the ' , I personally think that it is okay since I don't expect anyone to use that particular character. Any more possible answer to this problem? Thanks! – Chester Tuason Jan 18 '15 at 11:04
  • Try removing `adOpenKeySet` and instead: `aRecSet.Open "select * from studentTable where section ='" & txtDisplay.Text & "'", aConnection, adOpenStatic, adLockReadOnly` – Alex K. Jan 18 '15 at 14:34
  • 1
    The `'` issue should be addressed, its called an SQL Injection flaw and could allow a malicious user to delete data from your database; http://stackoverflow.com/questions/601300/what-is-sql-injection – Alex K. Jan 18 '15 at 14:37
  • At the very least you can manually prevent this by escaping `'` to 2 x `'`: section ='" & replace$(txtDisplay, "'", "''").Text & "'"` – Alex K. Jan 18 '15 at 14:37