在SQL查询中使用VBA组合框值返回类型不匹配

Question

I have a user form that contains a list of agents. When you click on an agent and click a button to mark them as not here, a popup comes up that requires you to pick a reason they aren't here.

This popup also contains a box that should display the current amount of attendance points the agent has. The code to pull that info from the SQL table where it's stored is below.

When it runs I get a type mismatch error on the .additem rs![Five9 Extension] line. The column on the SQL table is a varchar and I just need it to display a number so I'm not really sure what the issue is.

Dim Cn As ADODB.Connection
Dim Server_Name As String
Dim Database_Name As String
Dim SQLStr As String
Dim rs As ADODB.Recordset
Set rs = New ADODB.Recordset

Server_Name = "SDL02-VM25"
Database_Name = "PIA"
SQLStr = "select [Five9 Extension] from dbo.[Master Staffing List] Where [Agent Name] ='" & MainPage.AgentName.Selected(itemIndex) & "'"

Set Cn = New ADODB.Connection
Cn.Open "Driver={SQL Server};Server=" & Server_Name & ";Database=" & Database_Name & ""
rs.Open SQLStr, Cn, adOpenStatic

With ReasonPopup.CurPoints
    .Clear
    Do
        .AddItem rs![Five9 Extension]
        rst.MoveNext
    Loop Until rst.EOF
End With

rs.Close
Cn.Close
Set rs = Nothing
Set Cn = Nothing
Exit Sub

Answer 1

Bang operator implicit default member calls aside ( rs![Field Name] is shorthand for rs.Fields("Field Name").Value ), it seems the query isn't returning what you think it does:

 SQLStr = "select [Five9 Extension] from dbo.[Master Staffing List] Where [Agent Name] ='" & MainPage.AgentName.Selected(itemIndex) & "'" 

ListBox.Selected(index) returns a Boolean , so the query you're sending is something like

select [Five9 Extension] from dbo.[Master Staffing List] Where [Agent Name] ='True'

....Which I would expect to yield a grand total of 0 rows.

Question: what would happen if [Agent Name] were to be Jake O'Neil ? That's right, a syntax error with the query. Now what if [Agent Name] were to be Robert'; DROP TABLE [Master Staffing List];-- Robert'; DROP TABLE [Master Staffing List];-- ? That's right, very bad things . This is called a SQL injection vulnerability , and it plagues database-queryuing code all over the world, whenever people concatenate WHERE clauses with user inputs. It's not only a matter of database security, it's also a cause of easily avoidable bugs.

Let's fix this. Use an ADODB.Command , and in your SQL string remove the single quotes and replace the parameter concatenation with a question mark:

Dim cmd As ADODB.Command
Set cmd = New ADODB.Command
Set cmd.ActiveConnection = Cn
cmd.CommandText = "SELECT [Five9 Extension] FROM dbo.[Master StaffingList] WHERE [Agent Name] = ?"
cmd.CommandType = adCmdText
cmd.Parameters.Append cmd.CreateParameter(Type:=adVarChar, Value:=selectedName)
Set rs = cmd.Execute

Now for consuming the recordset, you can't assume that there will be rows - so you make a Do While loop that doesn't enter if rs.EOF is True :

Do While Not rs.EOF
    '...consume recordset...
    rs.MoveNext
Loop

Now, only selectedName needs to be figured out. Use the listbox' ListIndex property to do that:

Dim selectedName As String
With MainPage.AgentName
    Debug.Assert .MultiSelect = fmMultiSelectSingle 'wheels come off otherwise
    selectedName = .List(.ListIndex)
End With