0

Please help, im trying to build a classroom scheduling system, so the system is almost complete, i can debug the system but whenever i go to set some schedules, it shows this kind of message

MySql.Data.MySqlClient.MySqlException:

'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''SELECT subj.sub_code, subj.sub_desc, start_time, end_time, days, item_color, pr' at line 1'

What should I do? Please help. heres the part of the code that im guessing that it has a problem

Dim constring As String = "server=localhost;user id='root';password='!Password123';database = 'scheduling'"
Using con As New MySqlConnection(constring)
    sql = "'SELECT subj.sub_code, subj.sub_desc, start_time, end_time, days, item_color, pr_id, sched.sched_id, sched.course_id FROM tblschedule AS sched INNER JOIN open_subjects AS op_sub ON sched.sub_code = op_sub.sub_code INNER JOIN subject AS subj ON op_sub.sub_code = subj.sub_code WHERE sched.room_id ='" & room_id & "' AND op_sub.semester = '" & school_semester_text & "' AND op_sub.sy = '" & school_year_text & "' AND sched.void = 0 '"
    cmd = New MySqlCommand(sql, con)
    cmd.CommandType = CommandType.Text
    Using sda As New MySqlDataAdapter(cmd)
        Using ds As New DataSet()
            sda.Fill(ds, "tblschedule")
            Using dt As DataTable = ds.Tables("tblschedule")
Improve this question
1
  • 2
    You have a sql injection issue. Always use parameterized queries instead of string concatenation. Apart from that, why you use '' areound your select statement? Commented Jan 29, 2022 at 19:27

1 Answer 1

Reset to default
2 
Dim constring As String = "server=localhost;user id=root;password=########;database=scheduling"
Dim sql As String = "
SELECT subj.sub_code, subj.sub_desc, start_time, end_time, days, item_color, pr_id, sched.sched_id, sched.course_id 
FROM tblschedule AS sched 
INNER JOIN open_subjects AS op_sub ON sched.sub_code = op_sub.sub_code
INNER JOIN subject AS subj ON op_sub.sub_code = subj.sub_code 
WHERE sched.room_id = @room_id AND op_sub.semester = @semester AND op_sub.sy = @year AND sched.void = 0
"

Dim dt As New DataTabe()
Using con As New MySqlConnection(constring), _
      cmd As New MySqlCommand(sql, con), _
      sda As New MySqlDataAdapter(cmd)

    cmd.Parameters.AddWithValue("@room_id", room_id)
    cmd.Parameters.AddWithValue("@semester", school_semester_text)
    cmd.Parameters.AddWithValue("@year", school_year_text)
    sda.Fill(dt)
End Using

Note how I used the parameters instead of string concatenation. This is how you must do it if you don't want your application to end up horribly hacked.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Not forgetting Can we stop using AddWithValue() already?, of course ;)
@AndrewMorton I don't really use MySql often myself, but I have it on good authority from people I trust that MySql handles parameter binding differently, and it's much less of a concern than with Sql Server.
@JoelCoehoorn Thanks, that's interesting information. (If it had been otherwise, I thought you might have taken the opportunity to put quotes around the parameter names.)
@AndrewMorton Well the quotes around the names was an oversite (now corrected).
@AndrewMorton I don't have anything handy, sorry.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.