query, End of statement expected ')'

alobi

New member
Joined
Aug 13, 2016
Messages
2
Programming Experience
1-3
I am getting error on this line of code. txtVIN, it gets underlined, when I run a mouse over it says ')' end of statement expected
Code:
[FONT=Consolas][SIZE=2][FONT=Consolas][SIZE=2] sql = (
[/SIZE][/FONT][/SIZE][/FONT][FONT=Consolas][SIZE=2][COLOR=#a31515][FONT=Consolas][SIZE=2][COLOR=#a31515][FONT=Consolas][SIZE=2][COLOR=#a31515]"SELECT * FROM tbMVID WHERE [VINtbl] = "[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][FONT=Consolas][SIZE=2][FONT=Consolas][SIZE=2]  txtVIN.Text.ToString, conn)[/SIZE][/FONT][/SIZE][/FONT]
[FONT=Consolas][SIZE=2][FONT=Consolas][SIZE=2][/SIZE][/FONT][/SIZE][/FONT]
I've tried changing things around but it still does not work. Thanks for your time
 

jmcilhinney

VB.NET Forum Moderator
Staff member
Joined
Aug 17, 2004
Messages
14,108
Location
Sydney, Australia
Programming Experience
10+
Firstly, there's never a need to call ToString on a Text property of a control. As you would expect of something named Text, it is already a String.

As for the issue, the code you've posted makes no sense. I assume that what you intended was something like this:
sql = "SELECT * FROM tbMVID WHERE [VINtbl] = "  & txtVIN.Text

Dim command As New SqlCommand(sql, conn)
That's still potentially problematic though. For one thing, if that VINtbl column is a text type then you're missing the single quotes around the value and you'll get a an error of some sort when the SQL executes. Even worse though, is the fact that you leave yourself open to SQL injection and a malicious user may be able to delete every record in your database. If you're going to use ADO.NET then you should do it properly and use parameters to insert values, e.g.
sql = "SELECT * FROM tbMVID WHERE [VINtbl] = @VINtbl"

Dim command As New SqlCommand(sql, conn)

command.Parameters.AddWithValue("@VINtbl", txtVIN.Text)
That way, there's no issues with formatting, delimiters or SQL injection.
 
Top Bottom