0 
OleDbCommand commandtwo = new OleDbCommand("SELECT * from tblShowings WHERE ShowFilmID = " + filmID.Text + " AND Showdate = " + date.Text + " AND Showtime = " + time.Text + "", con);

What is wrong with my SQL query? I keep getting this error:

System.Data.OleDb.OleDbException: 'Syntax error (missing operator) in query expression 'ShowFilmID = 1111 AND Showdate = 67/87/9999 AND Showtime = 10:00'

Improve this question
6
  • 4
    Parametrized query! Commented Dec 24, 2019 at 15:40
  • 1
    Well clearly your strings in the query need quotes around them to be valid SQL. But as @LukaszSzozda says, use parameters instead of string concatenation and you will solve a lot of other problems at the same time. Commented Dec 24, 2019 at 15:43
  • What date is this? 67/87/9999 Commented Dec 24, 2019 at 15:49
  • @Steve: It's an invalid one. Commented Dec 24, 2019 at 15:49
  • @steve i was just testing a random date to test if the sql query would work Commented Dec 24, 2019 at 15:51

2 Answers 2

Reset to default
1

Your current code is vulnerable to Sql Injections. You should be using parameterized query to avoid sql injections and handling of value types correctly.

The error in your code is because you are missing ' single quotes for string value types.

"ShowFilmID = '" + date.Text + "'" + ...

Here's an example how you should be using parameterized query:

OleDbCommand command = new OleDbCommand(
  "SELECT * from tblShowings WHERE ShowFilmID = ? AND Showdate = ? AND Showtime = ?", con);
OleDbParameterCollection paramCollection = command.Parameters;
OleDbParameter myParm = paramCollection.Add(
        new OleDbParameter("ShowFilmID", filmID.Text),
        new OleDbParameter("Showdate", date.Text),
        new OleDbParameter("Showtime", time.Text));
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What makes you think that ShowFilmID is a string field and requires quotes around the values to compare?
Thanks! @Steve fixed it. Used date field for illustration.
0

Just a point to ponder here from a security standpoint. You need to ensure your data input/output is validated/sanitized to avoid exploit. The ideal process is stored procedure and parameterized values. If that is not possible, ensure that you have encoded your values so to avoid SQL Injection. Just my 2 cents worth.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.