Visual Studio 2008 Insert Into SQL DB

Question

0.00/5 (No votes)

See more:

, +

I need a simple example of how to insert a record with a "text" field into a SQL Server 2008 database table from VB.net.

Note that I am talking about the "text" data type specifically, not strings in general (e.g., not "varchar").

Posted 8-Mar-11 10:16am

SumTinWong

Updated 8-Mar-11 11:26am

AspDotNetDev

v3

Add a Solution

Comments

AspDotNetDev 8-Mar-11 16:46pm

FYI, I updated your question with the comment you posted in reply to my answer. I have also deleted my answer, since it is not what you were looking for.

SumTinWong 8-Mar-11 17:02pm

sorry about that.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Monjurul Habib · Answer 1 · 2011-03-08T11:06:00

Solution 4

SqlConnection conn = new SqlConnection("Data Source=.\\SQLEXPRESS;Initial Catalog=testdb;Integrated Security=True");
conn.Open();
string Insquery = "INSERT INTO userinfo values('"+TextBox1.text+"')"
SqlCommand cmd = new SqlCommand(Insquery,conn);
cmd.ExecuteNonQuery();

Response.Write("Inserted");

conn.Close();

I hope the above information will be helpful. If you have more concerns, please let me know.

Posted 8-Mar-11 11:06am

Monjurul Habib

Comments

AspDotNetDev 8-Mar-11 17:22pm

Noooooooooooo! One should never do this! Use command parameters instead of creating the command using string concatenation.

Espen Harlinn 8-Mar-11 17:40pm

Good point ...

William Winner 8-Mar-11 18:14pm

As an FYI, in case you were curious, the reason you don't do this would be this example:

Someone types the following into TextBox1:

"something');DROP TABLE userinfo;CREATE TABLE Junk (something varchar(255));INSERT INTO Junk VALUES('I just dropped your table and created my own!"

Now, your full insert string equals:

INSERT INTO userinfo values('something');DROP TABLE userinfo;CREATE TABLE Junk (something varchar(255));INSERT INTO Junk VALUES('I just dropped your table and created my own!')

AspDotNetDev 8-Mar-11 18:19pm

For further research into SQL injection, I recommend reading this: http://xkcd.com/327/

:-)

Monjurul Habib 9-Mar-11 3:10am

thanx

Monjurul Habib 9-Mar-11 3:11am

nice

postonoh · Answer 2 · 2011-03-08T10:49:00

Solution 2

a look

you can query this on You tube.

and www.asp.net

Posted 8-Mar-11 10:49am

postonoh

Updated 8-Mar-11 10:51am

v2

Comments

SumTinWong 8-Mar-11 17:01pm

Thanks. I'll look atit.

Espen Harlinn · Answer 3 · 2011-03-08T10:52:00

Solution 3

Here is a few answers from google[^]

You'll find what you need here[^]

Regards
Espen Harlinn

Posted 8-Mar-11 10:52am

Espen Harlinn

Comments

SumTinWong 8-Mar-11 17:01pm

Thanks. I'll look atit.