1

I have a basic vb.net program that pulls a query from an SQL database. My program works correctly if I hard code the date, however when I change the code from:

Dim dtstartdate As String = DateTime.Today
Dim dttomorrow As DateTime = DateTime.Today.AddDays(1)
Dim dtenddate As DateTime = dttomorrow.AddSeconds(-1)
Try
    For icounter = 1 To 2
        Call GetLocationInfo()



        connectionString = "Data Source=" & LocationDB & ";Initial Catalog=database;Persist Security Info=True;User ID=login;Password=password"


        sql = "select count(sTicket_number) as tickets from tickets where dtcreated between 2/8/2014 AND 2/9/2014 "
        sqlCnn = New SqlConnection(connectionString)

        sqlCnn.Open()

TO:

Dim dtstartdate As String = DateTime.Today
Dim dttomorrow As DateTime = DateTime.Today.AddDays(1)
Dim dtenddate As DateTime = dttomorrow.AddSeconds(-1)

Try
    For icounter = 1 To 2
        Call GetLocationInfo()



        connectionString = "Data Source=" & LocationDB & ";Initial Catalog=database;Persist Security Info=True;User ID=login;Password=password"


        sql = "select count(sTicket_number) as tickets from tickets where dtcreated between " & dtstartdate & " AND " & dtenddate & ""
        sqlCnn = New SqlConnection(connectionString)

        sqlCnn.Open()

I get a "Syntax Error near '11'" What am I doing incorrectly with the dtstartdate and dtenddate?

Improve this question
5
  • Did you try putting single quotes around the dates? select count(sTicket_number) as tickets from tickets where dtcreated between '" & dtstartdate & "' AND '" & dtenddate & "'"? Commented Feb 9, 2014 at 22:55
  • I didn't, and that seemed to have worked. Why do I need to add the single quotes? Commented Feb 9, 2014 at 22:56
  • 1
    Dates are enclosed in single quotes in SQL. Not sure why it worked for you when they were hard-coded without single quotes. Commented Feb 9, 2014 at 22:57
  • ok, do you want to put your answer up, and I'll accept it? Commented Feb 9, 2014 at 22:57
  • The hardcoded version worked because it is only a date. DateTime contains also a time part that is separated by a whitespace from the date Commented Feb 9, 2014 at 23:03

2 Answers 2

Reset to default
3

You need to be using SQL parameters instead. Otherwise you are looking for a lot of debugging in the long run + your code is vulnerable to SQL injection.

sql = "select count(sTicket_number) as tickets from tickets where dtcreated between @START_DATE AND @END_DATE"

Dim cmd As New SqlCommand(sql, sqlCnn)

cmd.Parameters.AddWithValue("@START_DATE", dtstartdate)
cmd.Parameters.AddWithValue("@END_DATE", dtenddate )
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You need to enclose the dates in single quotes ('). Additionally, I'd recommend getting into the practice of using parameterized queries to prevent SQL Injection Attacks. Something like this:

Using sqlCnn As SqlConnection = New SqlConnection(connectionString)

    sql = "select count(sTicket_number) as tickets from tickets where dtcreated between @StartDate AND @EndDate"
    SqlCommand cmd = new SqlCommand(sql);
    cmd.Parameters.AddWithValue("@StartDate", dtstartdate)
    cmd.Parameters.AddWithValue("@EndDate", dtenddate)

    sqlCnn.Open()

    ' Do the rest of your data access here

End Using

Using a parameterized query will both prevent SQL Injection Attacks and enable you to supply the parameter values without worrying about whether they need to be quoted or not.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.