1

I am trying a paramatized search to prevent sql injection. However the error "No value given for one or more required parameters". comes

     Dim sql As String
    Call connect()
    con.Open()
    sql = "Select * from Records where Customer_ID=@CustomerID"
    cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)
    cmd = New OleDbCommand(sql, con)
    dr = cmd.ExecuteReader
    While dr.Read
        Txt_Customer_ID.Text = dr(0)
        Txt_Customer_Name.Text = dr(1)
        Txt_Customer_Contact.Text = dr(2)
        Txt_Delivery_Method.Text = dr(3)
        Txt_Reference.Text = dr(4)
    End While

    con.Close()

The Customer_ID field in the database is a text type and I need to know how to finish this search without running into the error

Ahmed Faizan
  • 446
  • 5
  • 12
  • 22

2 Answers2

2

Got the answer! Thank you to everyone who tried

  cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)

line must be below

cmd = New OleDbCommand(sql, con)

Here is the code that works

 Dim sql As String
    Call connect()
    con.Open()
    sql = "Select * from Records where Customer_ID=@CustomerID"

    cmd = New OleDbCommand("Select * from Records where Customer_ID=@CustomerID", con)
    cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)
    dr = cmd.ExecuteReader
    While dr.Read
        Txt_Customer_ID.Text = dr(0)
        Txt_Customer_Name.Text = dr(1)
        Txt_Customer_Contact.Text = dr(2)
        Txt_Delivery_Method.Text = dr(3)
        Txt_Reference.Text = dr(4)
    End While

    con.Close()
Ahmed Faizan
  • 446
  • 5
  • 12
  • 22
1

Change the order like this

     cmd = New OleDbCommand(sql, con)
    cmd.Parameters.AddWithValue("@CustomerID", Txt_Customer_ID.Text)
Al-3sli
  • 2,161
  • 2
  • 15
  • 19