The Parameter '@AAA" must be defined error?

Question

savedlema 17 Junior Poster

11 Years Ago

Hi!
I just learnt to use the "Parameters.AddWithValue" to prevent harm of sql injections.However, I have only been able to do this with the INSERT, but I have trouble using that with SELECT and UPDATE. Please Look at my code with UPDATE

        Try
            ConnectionSettings()
            con.Open()

            Dim SqlUpdate As String

            SqlUpdate = "UPDATE tblStudents SET Surname = @Surname"
            cmd.Parameters.AddWithValue("@Surname", txtSurname.Text)

            cmd = New MySqlCommand(SqlUpdate, con)
            cmd.ExecuteNonQuery()

            MsgBox("Updated")
            con.Close()

        Catch ex As MySqlException
            MsgBox("Error " & ex.Message)
        End Try

The cmd.ExecuteNonQuery() was highlighted and I can also see the error msg "The Parameter '@Surname' must be defined", I thought I had defined it by cmd.Parameters.AddWithValue("@Surname", txtSurname.Text)? I get the same with SELECT statement.I've tried a Google search to no avail.

Any help please?

Thanks.

vb.net

Edited 11 Years Ago by savedlema because: Edited the title

4 Contributors
7 Replies
1K Views
4 Days Discussion Span
Latest Post 11 Years Ago Latest Post by savedlema

Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators.

11 Years Ago

If you are using an oledb interface then you have to use "?" when adding values as in

'OLEDB is more generic (can be used for different data sources) and supports
'parameters but they are unnamed and positional

ListView1.Items.Clear()

Dim con As New OleDbConnection("Provider=SQLNCLI10;Server=.\SQLEXPRESS;Database=PUBS;Trusted_Connection=Yes;")
Dim cmd As New OleDbCommand("", con)

cmd.CommandText = "SELECT au_lname,au_fname,zip FROM authors WHERE au_lname like ?"
cmd.Parameters.Add("@pan", OleDbType.VarChar).Value = "D%"

con.Open()
Dim rdr As OleDbDataReader = cmd.ExecuteReader()

Do While rdr.Read
    ListView1.Items.Add(New ListViewItem({rdr.GetString(0), rdr.GetString(1), rdr.GetString(2)}))
Loop

rdr.Close()
con.Close()

OleDb does not support named parameters. You can see the difference between SqlClient and OleDb here. That's the same sample code I posted a link to just above.

Edited 11 Years Ago by Reverend Jim

TnTinMN 418 Practically a Master Poster

11 Years Ago

You have mixed together various statements that are not necessarily related.

     ConnectionSettings() ' this does what?

     ' I assume that con is a MySqlConnection defined elsewhere
    ' don't need to open connect, the dataadapter will handle open/close
    'con.Open()

    Dim sql As String

    ' you do realize that this dataset will only exist in the context of this code block?
    Dim ds As New DataSet
    Dim da As MySqlDataAdapter

    Dim RowsNo As Integer ' purpose for this ?

    Dim cmd as New MySqlCommand()
    cmd.Connection = con

    sql = "SELECT * FROM tblStudents WHERE StudentID = @studentid"
    cmd.CommandText = sql
    cmd.Parameters.AddWithValue("@studentid", txtStudentID.Text)

    ' why this is here I have no clue
    'cmd.ExecuteNonQuery()

    ' feed the dataadapter the command
    dim da as New MySqlDataAdapter(cmd)

    ' use the adapter to create and fill the table Students
    da.Fill(ds, "Students")

    msgbox(ds("Students").Rows.count.ToString)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

savedlema 17 Junior Poster · Answer 1 · 2013-02-21T10:58:54+00:00

Update:
I have been able to solve this by adding:

     cmd = New MySqlCommand("", con)
    cmd.CommandText = "UPDATE tblStudents SET Surname = @Surname

But I would love some explanation please (I'm new to VB+Mysql)

pritaeas 2,194 ¯\_(ツ)_/¯ Moderator Featured Poster · Answer 2 · 2013-02-21T11:11:11+00:00

The cmd.Parameters can only be used if the cmd has a query (CommandText) set which defines that parameter. In your OP you used a string for your query, instead of the CommandText.

score 0 · Answer 3 · 2013-02-21T11:14:02+00:00

Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators.

11 Years Ago

You can find sample code here

savedlema 17 Junior Poster · Answer 4 · 2013-02-21T20:49:53+00:00

Thanks all..Then, why wouldn't this work? I want to fill the SELECT results to the dataset, and then fetch them from the dataset to textboxes..but this piece of code...

       ConnectionSettings()
        con.Open()
        Dim sql As String
        Dim ds As DataSet = New DataSet
        Dim da As MySqlDataAdapter
        Dim RowsNo As Integer

        cmd = New MySqlCommand("", con)
        sql = "SELECT * FROM tblStudents WHERE StudentID = @studentid"
        cmd.CommandText = sql

        cmd.Parameters.AddWithValue("@studentid", txtStudentID.Text)
        cmd.ExecuteNonQuery()

        da = New MySqlDataAdapter(sql, con)
        da.Fill(ds, "Students")

Does not work. With this, I get the error "The parameter @StudentID must be defined"

If I comment out:

            'da = New MySqlDataAdapter(sql, con)
            'da.Fill(ds, "Students")

I get no error msg (I assume no problem up to that code), even when I add Msgbox ("Success") after the 'cmd.ExecuteNonQuery() 'Sucess' will be displayed, meaning there is no problem to that line. I think I need a little help on how to put the results of the above SELECT to a dataset (MySQL)
Thanks all.

savedlema 17 Junior Poster · Answer 5 · 2013-02-25T14:08:35+00:00

savedlema 17 Junior Poster

11 Years Ago

There is a success. Thank you all. SOLVED.