Your query will cause this error to happen as you're passing it a string, but dont have single quotes around it so your DB thinks its an integer value. Also, you're going to want to be using parameterized SQL to help prevent SQL Injection attacks. Your current query looks like
vb
Dim queryString As String = "select name from Patientdata where name = " & pname & ""
You need to change it to
vb
Dim queryString As String = "select name from Patientdata where name = '" & pname & "'"
Notice the single quotes before and after the variable, this will let your db know its a string value. If you want your code to be secure, I would take a look at the changes I've made in your code below
vb
#Region " Button Click "
Private Sub btnSearch_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnSearch.Click
Dim pname As String = ""
pname = txtName.Text
Dim connectionString As String = GetConString()
'Remove the '" & Pname & "'" to help defend against SQL Inject attacks
Dim queryString As String = "select name from Patientdata where name = @pname"
Using connection As New OleDb.OleDbConnection(connectionString)
Dim command As OleDb.OleDbCommand = connection.CreateCommand()
'Tell our command object it's executing a text statement
command.CommandType = CommandType.Text
'Tell it what is is executing
command.CommandText = queryString
'Here we are using the Parameters Collection to add our parameter
command.Parameters.AddWithValue("@pname", pname)
'Set the connection of our command object
command.Connection = connection
'Open our connection
connection.Open()
Dim dr As OleDb.OleDbDataReader
dr = command.ExecuteReader()
Do While dr.Read()
ListBox1.Items.Add(dr.Item("name"))
'TextBox1.Text = dr.Item("name")
Loop
End Using
End Sub
#End Region
Hope that helps
EDIT: Moved to VB.Net
This post has been edited by PsychoCoder: 24 Feb, 2008 - 09:18 AM
24 Feb, 2008 - 03:44 AM
| 