Click here to Skip to main content
12,949,700 members (64,803 online)
Rate this:
 
Please Sign up or sign in to vote.
I'm developing a small application which involves sql server and vb for the front end. my tables has timestamp as one of the column. when i write query directly on sql timestamp field can be skipped. But when query is written within the vb app. The query returns a error NOT ENOUGH ARGUMENTS SUPPLIED!!
Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
com.ConnectionString = "server=.\sqlexpress;Database=mjjsj1;trusted_connection=True;"
If TextBox1.Text <> "" And TextBox2.Text <> "" And TextBox3.Text <> "" Then
com.Open()
cmd = New SqlCommand("insert into BACHELI values(" + TextBox2.Text + "," + TextBox5.Text + "," + TextBox8.Text + ")", com)
cmd.ExecuteNonQuery()
com.Close()
End If
End Sub


THANK YOU
Posted 24-Aug-12 20:22pm
Updated 24-Aug-12 21:52pm
v4
Comments
Mehdi Gholam 25-Aug-12 2:43am
   
Show your code.
Sharath2790 25-Aug-12 3:03am
   
Mehdi Gholam
I've update ques

1 solution

Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead - it will almost certainly cure your problem at the same time!

cmd = New SqlCommand("INSERT INTO Bacheli (mycolumn1, mycolumn2, myColumn3) VALUES (@T1, @T2, @T3)", com)
cmd.Parameters.AddWithValue("@T1", TextBox2.Text)
cmd.Parameters.AddWithValue("@T2", TextBox5.Text)
cmd.Parameters.AddWithValue("@T3", TextBox8.Text)
You will need to rename "mycolumn1" etc. to match your columns, and it would be a good idea to rename the parameters "@T1" and so on to something more sensible as well.

While we are on the subject, stop taking VS defaults for names - you may remember today what "TextBox8" holds, but when you come back to makes changes in a weeks time? Or next month? Always use sensible names instead that describe what it is used for.
  Permalink  
Comments
Sharath2790 20-Oct-12 1:45am
   
This method can be used in C#????
OriginalGriff 20-Oct-12 2:31am
   
Yes - and should. Just replace the "New" with "new" and add semicolons to the end of each line:
cmd = new SqlCommand("INSERT INTO Bacheli (mycolumn1, mycolumn2, myColumn3) VALUES (@T1, @T2, @T3)", com);
cmd.Parameters.AddWithValue("@T1", TextBox2.Text);
cmd.Parameters.AddWithValue("@T2", TextBox5.Text);
cmd.Parameters.AddWithValue("@T3", TextBox8.Text);

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

    Print Answers RSS
Top Experts
Last 24hrsThis month
OriginalGriff 5,489
CHill60 3,380
Maciej Los 2,913
Jochen Arndt 1,935
ppolymorphe 1,820


Advertise | Privacy | Mobile
Web02 | 2.8.170524.1 | Last Updated 25 Aug 2012
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100