How to insert customer details into Orders table

0
votes

I have an assignment to build a basic database driven e-commerce site. I have a home page, a products page, an orders page, an order confirm page, a shopping cart page and a view current orders page. The site uses an Access database with three tables.

A Customer table, with all of the customer details, (FirstName, LastName, EmailAdd, CardNo, CardEx, SortCode, DeliveryAdd, Postcode)

A Products table, with all the product information, (ProductID, ProductName, Price, ProductType, Images, ProductDescription).

And an Orders table which contains CustomerID and ProductID.

I'm trying to create an INSERT statement on the orders page so that when the customer inserts their details and presses the submit button the customers table will have a new record inserted. I also want this to create an entry in the orders table and redirect the client to the order confirm page which will display the details of the order.

Here is my code which runs when the submit button is clicked on the order form.

EDIT I've fixed the error with the missing apostrophe. Attempting to insert using two sql commands as I've been told that access databases can't handle two at once. Still getting an error though.

  Protected Sub btnAddRecord_Click(ByVal sender As Object, ByVal e As System.EventArgs)

    Dim strFirstName As String
    Dim strLastName As String
    Dim strEmailAdd As String
    Dim intCardNo As String
    Dim strCardEx As String
    Dim intSortCode As String
    Dim strDeliveryAdd As String
    Dim strPostCode As String
    Dim intProductID As Integer
    strFirstName = tbxFirstName.Text
    strLastName = tbxLastName.Text
    strEmailAdd = tbxEmailAdd.Text
    intCardNo = tbxCardNo.Text
    strCardEx = tbxCardEx.Text
    intSortCode = tbxSortCode.Text
    strDeliveryAdd = tbxDeliveryAdd.Text
    strPostCode = tbxPostcode.Text
    intProductID = ddlProduct.SelectedValue
    
    Dim strDatabaseNameAndLocation As String
    strDatabaseNameAndLocation = Server.MapPath("KingToots.mdb")
    Dim strSQLCommand As String
    strSQLCommand = "INSERT INTO Customer(FirstName, LastName, EmailAdd, CardNo, CardEx, SortCode, DeliveryAdd, Postcode) " & _
        "Values ('" & strFirstName & "', '" & strLastName & "', '" & strEmailAdd & "', '" & intCardNo & "', '" & strCardEx & "', '" & intSortCode & "', '" & strDeliveryAdd & "', '" & strPostCode & "');"
    Dim objOleDbConnection As System.Data.OleDb.OleDbConnection
    objOleDbConnection = New System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.Oledb.4.0; Data Source=" & strDatabaseNameAndLocation)
    objOleDbConnection.Open()
    Dim objOleDbCommand As System.Data.OleDb.OleDbCommand
    objOleDbCommand = New System.Data.OleDb.OleDbCommand(strSQLCommand, objOleDbConnection)
    objOleDbCommand.ExecuteNonQuery()
    objOleDbConnection.Close()
    strSQLCommand = "INSERT INTO Orders(ProductID) " & "Values ('" & intProductID & "');"
    objOleDbConnection = New System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.Oledb.4.0; Data Source=" & strDatabaseNameAndLocation)
    objOleDbConnection.Open()
    objOleDbCommand = New System.Data.OleDb.OleDbCommand(strSQLCommand, objOleDbConnection)
    objOleDbCommand.ExecuteNonQuery()
    objOleDbConnection.Close()
    strSQLCommand = "SELECT Customer.* FROM Customer ORDER BY Customer.CustomerID DESC;"
    objOleDbConnection = New System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.Oledb.4.0; Data Source=" & strDatabaseNameAndLocation)
    objOleDbConnection.Open()
    objOleDbCommand = New System.Data.OleDb.OleDbCommand(strSQLCommand, objOleDbConnection)
    Dim objOleDbDataReader As System.Data.OleDb.OleDbDataReader
    objOleDbDataReader = objOleDbCommand.ExecuteReader()
    Dim datDataTable As System.Data.DataTable
    datDataTable = New System.Data.DataTable()
    datDataTable.Load(objOleDbDataReader)
    objOleDbConnection.Close()
    tbxFirstName.Text = ""
    tbxLastName.Text = ""
    tbxEmailAdd.Text = ""    
    tbxCardNo.Text = ""
    tbxCardEx.Text = ""
    tbxSortCode.Text = ""
    tbxDeliveryAdd.Text = ""
    tbxPostcode.Text = ""

End Sub
2
sqlvb.nete-commerce
Your code is an official invitation for SQL-Injection. Use parameters.Tim Schmelter
If you're not worried about SQL injection, kindly post the link where this is going to be hosted; I'm sure someone here will show you why in a few seconds... (be sure to have a backup of the database! and expect customer or orders table to 'disappear'xQbert
Hi it's hosted on the university server which requires a user name and password so the lecturer can mark it. I don't think I can give a direct link to it.Keys

2 Answers

1
votes

You're missing the closing quotes at the end of this line:

strSQLCommand = "INSERT INTO Customer(FirstName, LastName, EmailAdd, CardNo, CardEx, SortCode, DeliveryAdd, Postcode) " & _
    "Values ('" & strFirstName & "', '" & strLastName & "', '" & strEmailAdd & "', '" & intCardNo & "', '" & strCardEx & "', '" & intSortCode & "', '" & strDeliveryAdd & "', '" & strPostCode & ");"

About the obvious SQL injection problem, switching to parameters would be the best way to do it (and you'd never have your original issue if you did, parameters don't use quotes), but at the very least run a replace on your strings to replace ' with '' so your program doesn't just die if you get a customer called O'Neil.

0
votes

He is correct, you don't want to do this you will get sql injection. But here is the solution to your problem anyway.

The problem is not in the last sql statement but in the previous one.

'" & strPostCode & " is missing the last single quote.

it should read:

'" & strPostCode & "');