ORDER BY and error message is incorrect syntax. i have two code lines for order by .. first code lines work but second code lines doesnt work.

hello friends

my first code lines is below.. but it doesnt work and error message is incorrect syntax near the order.. ??? what should i do ? i have sqldatasource1 and gridview1 for my first code lines and choose datasource of gridview1 is sqldatasource1.. it works when i delete order.. it just works for  "Select * from product where name= '" & Request("TextBox1") & "' and name1= '" & Request("TextBox2") & "' and name2= '" & Request("TextBox3") & "'"quest("TextBox3") & "'"

order = "ORDER BY datetime"  or i have triede for price or name instead of datetime

yeni1 = yeni1 + order

SqlDataSource1.SelectCommand = yeni1 ' Finishing firs code lines


my second code line is below.. and it works.. choose datasource of gridview1 is none

Dim cn As New SqlConnection(ConfigurationManager.ConnectionStrings("NORTHWNDConnectionString").ToString)


Dim yeni, yeni1, yeni2, order As String

yeni = "and CategoryID='" & TextBox2.Text & "'"

yeni1 = "Select * from products where SupplierID= '" & TextBox1.Text & "'"

order = "order by ProductName DESC"

yeni2 = yeni1 + yeni + order


Dim Sql As String = yeni2

Dim da As New SqlDataAdapter(Sql, cn)

Dim dt As New Data.DataTable


GridView2.DataSource = dt



6/12/2008 3:52:22 PM
There must be a space before "order" in "order by" 

 And you really must fix your SQL queries. Your database is at risk. Look up  the term "SQL injection"

6/12/2008 3:59:01 PM

you need to have a space before "order" you query will generate SQL statement like this:

Select * from product where name= 'abc' and name1 = 'xyz' and name2 ='dhl'order by ....

you need to put a white space before "order by" key word 

6/12/2008 4:00:29 PM


i have tried for space

" order by name" there is a space before order :)

besides i have  tried for this.. it is below. but it doesnt work

space=" "

yeni2= yeni1+space+yeni2


6/12/2008 4:06:45 PM

Well, then check what you have in yeni2  when it's ready. Clearly you are still missing some spaces. But your very dangerous SQL queries are worse. If you don't fix them, anyone with access to the page will be able to delete your entire database.

6/12/2008 4:33:07 PM


thank you for your answer :)

i just see ORDER BY name when i have used textbox1.text to display yeni2 what have. so i have solved this problem.. 

if anybody enter DELETE * from table1 to textbox1, will records of my table1 be deleted ? could you give me advice or web site adress of article ?


6/12/2008 5:06:43 PM



if anybody enter DELETE * from table1 to textbox1, will records of my table1 be deleted ?

No, but if they enter

';DELETE FROM table1--

Since then the query becomes


Select * from products where SupplierID= '';DELETE FROM table1--' ORDER BY etc....

6/12/2008 8:01:25 PM

? could you give me advice or web site adress of article ?


6/12/2008 8:03:12 PM

