Click here to Skip to main content
14,428,471 members
Rate this:
Please Sign up or sign in to vote.
See more:
SQLCmd.CommandText = "INSERT INTO PriceBook_Cost (EntryDate, Country, PoP, City, Medium, Capacity, Currency, " &
"NRC, MRC) VALUES ('" &
DateTime.Now & "','" &
country.Replace("'", "''") & "','" &
PBPoPtoUse.Replace("'", "''") & "','" &
city.Replace("'", "''") & "','" &
theMedium & "','" &
MB & "','" &
"USD',’" &
If(MaxNRC > 0, "'" & Convert.ToInt64(MaxNRC) & "'", "NULL") & "," &
If(MinMRC > 0, "'" & Convert.ToInt64(MinMRC) & "'", "NULL") & ")"


What I have tried:

Hi. Im a newbie at VB.net please help to figure out the problem to fix this snippet of code
Posted
Updated 20-Nov-19 11:03am
v2
Comments
Richard MacCutchan 20-Nov-19 15:41pm
   
Yes, it is unreadable.
Patrice T 20-Nov-19 16:14pm
   
and the error message is ?
Dave Kreskowiak 20-Nov-19 19:23pm
   
And you never mentioned what you meany by "fix". What about this code, specifically, is broken, other than the obvious string concatenation to build the SQL query.

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

Don't do it like that. OK, you are replacing quote with a pair of quotes, but that doesn't really protect you well - and makes your code very difficult to read.

Instead, use parameterised queries:
Using con As New MySqlConnection(strConnect)
	con.Open()
	Using com As New MySqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con)
		com.Parameters.AddWithValue("@C1", myValueForColumn1)
		com.Parameters.AddWithValue("@C2", myValueForColumn2)
		com.ExecuteNonQuery()
	End Using
End Using

It's safer, you don't need to faff with Replace, and it's a whole load more readable. You'll probably find that it fixes your problem at the same time.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100