0

I have the code below

technician_sqlsource.SelectCommand = "Select analyst as Analyst, sample_description, RFA_number, convert(varchar(10), updated_date, 103)as updated_date, customer, po_number, total_charged from New_Analysis_Data where analyst =  '" & FullName & "' and updated_date > '" & CDate(startdate.Text) & "'" & " and updated_date < '" & CDate(enddate.Text) & "'"

This basically passed through the sql command to the sql server and retrieves data between 2 dates. These dates come from 2 text boxes (start and end date). When I run this I get the error - The conversion of a varchar data type to a datetime data type resulted in an out-of-range value.

If I remove & "'" & " and updated_date < '" & CDate(enddate.Text) & "'" then it will work, seems to be an issue with the enddate.

Improve this question
4
  • 4
    The query is vulnerable to sql injection attacks. You're practically begging to get hacked. Commented May 24, 2013 at 13:28
  • Apart from the sql-injection issue which is very serious and can be avoided easily with sql-parameters, what date-strings are you trying to convert to a datetime and what culture are you using(e.g. "en-us")? CDate uses the current culture to convert a string to Date. Commented May 24, 2013 at 13:32
  • culture is set to en-gb, I dont understand the difference ie why does it work if I remove enddate and just leave > startdate. It displays everything greater than the date I enter. As so as I add < enddate it throws the error Commented May 24, 2013 at 14:18
  • It's not the code change that fixes things, it's the data. The end date your are testing with does not convert to a datetime object correctly. It is possible your calendar extender is creating a US date that is invalid for the en-gb culture? ex: 5/24/2013 is correct in US, but invalid for en-gb. Commented May 24, 2013 at 14:49

4 Answers 4

Reset to default
4

Use query parameters!

technician_sqlsource.SelectCommand = _
      "SELECT analyst as Analyst, sample_description, RFA_number, " & _
            " convert(varchar(10), updated_date, 103)as updated_date, " & _ 
            " customer, po_number, total_charged " & _ 
      " FROM New_Analysis_Data " & _
      " WHERE analyst = @FullName " & _
            " AND updated_date >= @StartDate AND updated_date < @EndDate"

 With technician_sqlsource.SelectCommand.Parameters
      .Add("@FullName", SqlDbType.VarChar,50).Value = FullName
      .Add("@StartDate", SqlDbType.DateTime).Value = startdate.Text
      .Add("@EndDate", SqlDbType.DateTime).Value = enddate.Text
 End With

This also may or may not fix your problem with the end date. Even if it doesn't fix the problem, you should get a clearer error message... but most likely, you're not entering a valid date format in that textbox. Have you considered using a DatePicker control?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Great answer. I am beginner so I choose the way of beginner. You show path not only to user2050577 but also me. +1 for your giving us right direction.
I now get an error on technician_sqlsource.SelectCommand.Parameters says parameters is not a memeber of string
just for info I am using 2 textboxes combined with calender extenders
1

1st off you should use SqlParameters!!!

It is much safer and you will also get rid of the date conversion issue.

            SqlCommand cmd=new SqlCommand();
            cmd.CommandText = @"
            Select  analyst as Analyst, 
                    sample_description,
                    RFA_number,
                    convert(varchar(10), updated_date, 103) as updated_date,
                    customer,
                    po_number,
                    total_charged
            from    New_Analysis_Data
            where   analyst =  @analyst
            and     updated_date between @startdate and @enddate";

            technician_sqlsource.SelectCommand = cmd;

            technician_sqlsource.SelectCommand.Parameters.Add(new SqlParameter("@analyst", FullName));
            technician_sqlsource.SelectCommand.Parameters.Add(new SqlParameter("@startdate",CDate(startdate.Text)));
            technician_sqlsource.SelectCommand.Parameters.Add(new SqlParameter("@enddate", CDate(enddate.Text)));
Improve this answer

2 Comments

looks good but I now get error on the technician_sqlsource.SelectCommand = cmd as it says value of technician_sqlsource.SelectCommand cannot be converted to a string
yes, you're right, then add the parameters to technician_sqlsource rather than the cmd
1

If you want still in your old (unsafe) style .. you can try this ..

technician_sqlsource.SelectCommand = "Select analyst as Analyst, sample_description, RFA_number, convert(varchar(10), updated_date, 103)as updated_date, customer, po_number, total_charged from New_Analysis_Data where analyst =  '" & FullName & "' and updated_date > #" & startdate.Text & "# and updated_date < #" & enddate.Text & "#"

But later you must use query parameters! .. to prevent SQL Injection !

Improve this answer

5 Comments

quick question - whats the # for
doesnt work for me Im afraid, get multiple errors to do with the date format.
nope, still get the original error..arrrggghhh, thanks for trying to help though
I use 2 textboxes with 2 ajax calender extenders
if you used VB datetimepicker .. I think my first try will work, but ajax calendar extender .. I don't know .. sorry
0

try this:

technician_sqlsource.SelectCommand = "Select analyst as Analyst, sample_description, RFA_number, convert(varchar(10), updated_date, 103)as updated_date, customer, po_number, total_charged from New_Analysis_Data where analyst =  '" & FullName & "' and updated_date > '" & CDate(startdate.Text) & "' and updated_date < '" & CDate(enddate.Text) & "'"
Improve this answer

1 Comment

@user2050577: You are getting the same error because the string is converted to date first, then the sql query is getting executed. But because the string is not a valid datetime the answer of ITBeginner doesn't solve your first problem. So first use sql-parameters, then solve your string-to-date conversion issue(you haven't shown examples), then use the corect sql which is also easier when you don't concatenate strings to a sql query but use parameters.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.