SQL Query - SQL Server Forums

Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

All Forums

General SQL Server Forums

New to SQL Server Programming

SQL Query

Author

Topic

romy
Starting Member

6 Posts

Posted - 2007-05-03 : 13:27:02

HI,

Please see following qery where
q is variable
Dim q as string = "GGGG"
I want to pass this variable in this query but its throwing me exception.

When I pass GGGG value instead of variable it working but according my requirement I have to pass variable

sSQL = "SELECT T1.NAME,T1.CONT_GUID FROM CUST_CONT T1 INNER JOIN CONT_FOLD_ASS T2 ON T1.CUST_CONT_PK = T2.CUST_CONT_PK INNER JOIN CONT_CAT_FOLD T3 ON T3.CONT_CAT_FOLD_PK = T2.CONT_CAT_FOLD_PK WHERE T1.CONT_GUID = """ + Q + """ "

dinakar
Master Smack Fu Yak Hacker

2507 Posts

Posted - 2007-05-03 : 13:28:13

what is the programming language you are trying to do this in?

Dinakar Nethi
SQL Server MVP
************************
Life is short. Enjoy it.
************************
http://weblogs.sqlteam.com/dinakar/

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2007-05-03 : 13:55:31

it's VB.

"...WHERE T1.CONT_GUID = '" + Q + "' "

_______________________________________________
Causing trouble since 1980
blog: http://weblogs.sqlteam.com/mladenp

dinakar
Master Smack Fu Yak Hacker

2507 Posts

Posted - 2007-05-03 : 14:07:02

Its been ages since I did any Vb code but I thought you use & for concatenation in VB? In C# you use the + symbol. the "Dim . as ." did narrow me down to VB but I got confused with the +.
anyways, try this


sSQL = "SELECT T1.NAME,T1.CONT_GUID FROM CUST_CONT T1 INNER JOIN CONT_FOLD_ASS T2 ON T1.CUST_CONT_PK = T2.CUST_CONT_PK INNER JOIN CONT_CAT_FOLD T3 ON T3.CONT_CAT_FOLD_PK = T2.CONT_CAT_FOLD_PK WHERE T1.CONT_GUID = '" & Q & "'"

Better yet, use parameterized queries, then the query will look like:


sSQL = "SELECT T1.NAME,T1.CONT_GUID FROM CUST_CONT T1 INNER JOIN CONT_FOLD_ASS T2 ON T1.CUST_CONT_PK = T2.CUST_CONT_PK INNER JOIN CONT_CAT_FOLD T3 ON T3.CONT_CAT_FOLD_PK = T2.CONT_CAT_FOLD_PK WHERE T1.CONT_GUID = @Q"

looks much simplere and also prevents your app from SQL injection attacks.

Dinakar Nethi
SQL Server MVP
************************
Life is short. Enjoy it.
************************
http://weblogs.sqlteam.com/dinakar/

romy
Starting Member

6 Posts

Posted - 2007-05-03 : 14:18:08

Thanks a lot now my query is working.

In VB we can use both & and + for cancatenation.

Thanks a lot.

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources