1

Below is the code I have, I can't for the life of me work out what is wrong with the query.

I originally had the error "no value given for 1 or more parameters", which seems to have gone away (although again I don't even know why I was getting it).

The connection is opened prior to this code. The parameter GVars.thisFY is a string = "FY13" - this table definitely exists. The parameter GVars.currentDate is a DateTime = today.

Records definitely exist for this [Destination] and [Next Collection] range:

string sql;
OleDbDataAdapter adapter;

sql = "SELECT * FROM @CurFY WHERE [Destination] = @Destination AND [Next Collection] BETWEEN @NextCollectionA AND @NextCollectionB;";

// Create the command object
OleDbCommand cmd = new OleDbCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = sql;

// Add values to the fields
cmd.Parameters.AddWithValue("@CurFY", GVars.thisFY);
cmd.Parameters.AddWithValue("@Destination", "Henwood");
cmd.Parameters.AddWithValue("@NextCollectionA", GVars.currentDate);
cmd.Parameters.AddWithValue("@NextCollectionB", GVars.currentDate.AddDays(1));

adapter = new OleDbDataAdapter(cmd.CommandText, conn);

try
{
    adapter.Fill(ds);

    GVars.bLblLastUpdate = DateTime.Now.ToString("HH:mm:ss");
}
catch (Exception ex)
{
}

EDIT: I have changed the code to remove the table parameter as below, still getting the "no value given for 1 or more parameters" though which I can't pin down..

EDIT2: I removed the extra stuff so the post relates only to the original question, which has been answered. I will make a new question for my strange "no value given" error

Improve this question
5
  • 1
    You can't have the table name as a parameter. See also this question: stackoverflow.com/questions/14124261/… Commented Jun 10, 2013 at 11:03
  • 2
    your main mistake here was swallowing the exception; there are very few good places to do that, and this isn't one of them Commented Jun 10, 2013 at 11:06
  • 1
    What database system (and which version) are you using? SQL is just the query language - and it's used by many database systems, that doesn't really tell us anything.... Commented Jun 10, 2013 at 11:07
  • the database is in Access (2003-2003 format) Commented Jun 10, 2013 at 11:10
  • @Marc Gravell what do you mean? The catch block is empty since I'm only using it to see the error my coding is producing, once this is sorted I will add a less generalized catch for network/database issues etc. Is that what you meant? Commented Jun 10, 2013 at 13:35

2 Answers 2

Reset to default
5

You cannot parameterize queries with names of tables, views, or columns. Only data members can be parameterized.

You need to make your SQL dynamically, e.g. like this:

sql = string.Format(
    "SELECT * FROM {0} WHERE [Destination] = @Destination AND [Next Collection] BETWEEN @NextCollectionA AND @NextCollectionB;"
,  GVars.thisFY
);

This should be done only if GVars.thisFY is controlled by your code, e.g. comes from a pre-defined list or checked for absence of non-alphanumeric characters to avoid SQL injection attacks.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

don't i feel stupid... ok removed that parameter, now it tells me again that there is no value given for 1 or more parameters
If GVars.thisFY somehow comes from the client (e.g. a dropdown, which could be manually altered), this would impose a security vulnerability. Sanitise your input before sticking it into a query.
@IanAbbott "no value given for 1 or more parameters" That's strange... Did you also remove the @ from the query? Your query should have only 3 @s now, and there should be 3 calls of AddWithValue in the code.
i have updated my original post with the current revised code
@IanAbbott Just a suggestion: The code would be more robust (and perhaps somewhat safer, too) if the table name was enclosed in square brackets, i.e., SELECT * FROM [{0}] ....
|
0

Try this one -

sql = Sring.Format(
    "SELECT * FROM {0} WHERE [Destination] = @Destination AND [Next Collection] BETWEEN @NextCollectionA AND @NextCollectionB;", 
    GVars.thisFY
)

cmd.Parameters.AddWithValue("@Destination", "Henwood");
cmd.Parameters.AddWithValue("@NextCollectionA", GVars.currentDate);
cmd.Parameters.AddWithValue("@NextCollectionB", GVars.currentDate.AddDays(1));
Improve this answer

1 Comment

If GVars.thisFY somehow comes from the client (e.g. a dropdown, which could be manually altered), this would impose a security vulnerability. Sanitise your input before sticking it into a query.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.