Home/ Questions/Q 741587
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T08:38:59+00:00

I have a date column in a DB tabel that I want to query

  • 0

I have a date column in a DB tabel that I want to query using a date taken from textbox.text. the user selects a date from the calendar in the format dd/MM/yyyy. I want to use that date to put into a query. How do i format the date to be able to query the database?

  Dim datefrom As String =txtDateFrom.Text
  Dim dateto As String =txtDateTo.Text

The query will look like this:

  WHERE (tblClient.ClientID = " & ClientID & ") AND (tblBackupArchive.BackupDate BETWEEN '" + datefrom + "' AND '" + dateto + "')"

I’m using MS SQL Server btw. Any help most appreciated.

Jonesy

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    NEVER USE STRING CONCATENATION LIKE THAT TO BUILD YOUR QUERIES!!!

    And yes, I did mean to yell, because date formatting is the least of your problems. Imagine what would happen in your current code if something entered the following into one of your date textboxes:

    ‘;DROP TABLE tblClient;–

    Instead, use a parameterized query. That will fix your date issues and protect against sql injection attacks. Here’s an example:

    Dim sql As String = " .... WHERE tblClient.ClientID= @ClientID AND tblBackupArchive.BackupDate >= @DateFrom AND tblBackupArchive.Backupdate < @DateTo"

Using cn As New SqlConnection("your connection string here"), _
      cmd As New SqlCommand(sql, cn)

    cmd.Parameters.Add("@ClientID", SqlDbType.Int).Value = ClientID
    cmd.Parameters.Add("@DateFrom", SqlDbType.DateTime).Value = DateTime.Parse(txtDateFrom.Text)
    cmd.Parameters.Add("@DateTo", SqlDbType.DateTime).Value = DateTime.Parse(txtDateTo.Text).AddDays(1)

    cn.Open()

    cmd.Execute___()

End Using

    You can think of it now as if you had run an sql statement more like this:

    DECLARE @ClientID Int
DECLARE @DateFrom DateTime
DECLARE @DateTo DateTime

Set @ClientID = ImaginaryFunctionToGetQueryData('ClientID')
Set @DateFrom = ImaginaryFunctionToGetQueryData('DateFrom')
Set @DateTo   = ImaginaryFunctionToGetQueryData('DateTo')

SELECT ... 
FROM ... 
WHERE tblClient.ClientID= @ClientID 
    AND tblBackupArchive.BackupDate >= @DateFrom 
    AND tblBackupArchive.Backupdate < @DateTo

    The “ImaginaryFunction” in that code is accomplished using the sp_executesql stored procedure, but the point is that the query string as seen by sql server will never substitute data directly into the query string. Code is code, data is data, and never the ‘twain shall meet.

    • 0