Click here to Skip to main content
15,938,218 members
Please Sign up or sign in to vote.
1.00/5 (3 votes)
See more:
I am attempting to write data into a SQL table. Here is the code.
VB
Dim strconx As String = ("Data Source=.\SQLEXPRESS;Initial Catalog=Connex_Test;Integrated Security = true")
Dim connectionx As New SqlConnection(strconx)

Dim strCmd As String = "Insert into BlockAtts(IDNumber,Description,QTY,Tag_Type,DWG_Number,Project_Number,Job_Number,system,Crate,RA_Company,Company1) Values('" & WRAtts.IDNumber & "','" & WRAtts.Description & "','" & WRAtts.QTY & "','" & WRAtts.Dwg_Number & "','" & WRAtts.Project_Number & "','" & WRAtts.Job_Number & "','" & WRAtts.system & "','" & WRAtts.Crate & "','" & WRAtts.RA_Company & "','" & WRAtts.Company1 & "')"

Dim Comm As New SqlCommand
Comm.CommandType = System.Data.CommandType.Text
Comm.CommandText = strCmd
    Comm.Connection = connectionx

    Try
        connectionx.Open()
        'connection opens
        Comm.ExecuteNonQuery()
        'fails to write data
    Catch
        LB2.Items.Add("data write failed")
    End Try

connectionx.Close()

What is my issue?

Thank you!

What I have tried:

I have tried several different formats of this - all fail to enter the data.
Posted
Updated 29-Aug-23 0:44am
v2
Comments
Dave Kreskowiak 23-Aug-23 19:09pm    
Without any error messages, anything anyone says is just a guess.
Herman<T>.Instance 29-Aug-23 7:42am    
must be a pebcak issue

This is not about your problem, or maybe it is, but you're using string concatenation to build the SQL query. This is a MASSIVE security problem and risks the destruction of your database. It amy also be causing your problems, whatever they are.

ALWAYS use parameterized queries! Read this[^] and this[^]

You also may have database design issues because it looks like you're trying to store numeric data as strings in the database. That's a bad idea.

Without further information, it's impossible to give you direct answers to solve your problems, but this should be a start for you and you'll have to rewrite the code you posted to start implementing corrections.
 
Share this answer
 
I concur with Dave - you should never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

The other thing you should never do is throw away information:
    Try
...
    Catch
        LB2.Items.Add("data write failed")
    End Try
Because you don't know what the exception is, you can't access any data to help you work out what the problem is. Always grab the exception, because then you can use the debugger to look at it in detail if you need to. Try this:
    Try
...
    Catch Ex As Exception
        LB2.Items.Add($"Data Write failed:\n{ex.Message}")
    End Try
That way, you get some info on why it's failing.
 
Share this answer
 
In addition to using parameterized queries as stated above, you have a value for your 'Tag_Type' field missing, jumping from 'WRAtts.QTY' to 'WRAtts.Dwg_Number'.

To use parameterized query -
VB
Dim strconx As String = "Data Source=.\SQLEXPRESS;Initial Catalog=Connex_Test;Integrated Security=true"
Dim connectionx As New SqlConnection(strconx)

Dim strCmd As String = "INSERT INTO BlockAtts(IDNumber, Description, QTY, Tag_Type, DWG_Number, Project_Number, Job_Number, system, Crate, RA_Company, Company1) VALUES (@IDNumber, @Description, @QTY, @Tag_Type, @DWG_Number, @Project_Number, @Job_Number, @system, @Crate, @RA_Company, @Company1)"
'@Tag_Type missing in your code...

Dim Comm As New SqlCommand
Comm.CommandType = System.Data.CommandType.Text
Comm.CommandText = strCmd
Comm.Connection = connectionx

'Set your parameters...
Comm.Parameters.AddWithValue("@IDNumber", WRAtts.IDNumber)
Comm.Parameters.AddWithValue("@Description", WRAtts.Description)
Comm.Parameters.AddWithValue("@QTY", WRAtts.QTY)
Comm.Parameters.AddWithValue("@Tag_Type", WRAtts.Tag_Type)
Comm.Parameters.AddWithValue("@DWG_Number", WRAtts.Dwg_Number)
Comm.Parameters.AddWithValue("@Project_Number", WRAtts.Project_Number)
Comm.Parameters.AddWithValue("@Job_Number", WRAtts.Job_Number)
Comm.Parameters.AddWithValue("@system", WRAtts.system)
Comm.Parameters.AddWithValue("@Crate", WRAtts.Crate)
Comm.Parameters.AddWithValue("@RA_Company", WRAtts.RA_Company)
Comm.Parameters.AddWithValue("@Company1", WRAtts.Company1)

Try
    connectionx.Open()
    'Open your connection...
    Comm.ExecuteNonQuery()
    'Data is saved...
Catch ex As Exception
    LB2.Items.Add("No data saved: " & ex.Message)
Finally
    connectionx.Close()
End Try
 
Share this answer
 
v2
Comments
Ender157 24-Aug-23 9:52am    
thank you for all the good info. interestingly it seems to not like reading from the VAriable. if i hard code the entries it works.
 Comm.Parameters.AddWithValue("@IDNumber", "1.1.1") 'WRAtts.IDNumber)
        Comm.Parameters.AddWithValue("@Description", "Description") ' WRAtts.Description)
        Comm.Parameters.AddWithValue("@QTY", "test") 'WRAtts.QTY)
        Comm.Parameters.AddWithValue("@Tag_Type", "test") 'WRAtts.Tag_Type)
        Comm.Parameters.AddWithValue("@DWG_Number", "test") ' WRAtts.Dwg_Number)
        Comm.Parameters.AddWithValue("@Project_Number", "test") ' WRAtts.Project_Number)
        Comm.Parameters.AddWithValue("@Job_Number", "test") ' WRAtts.Job_Number)
        Comm.Parameters.AddWithValue("@system", "test") 'WRAtts.system)
        Comm.Parameters.AddWithValue("@Crate", "test") 'WRAtts.Crate)
        Comm.Parameters.AddWithValue("@RA_Company", "test") ' WRAtts.RA_Company)
        Comm.Parameters.AddWithValue("@Company1", "test") ' WRAtts.Company1)


I do see an issue with at least 1 the WRAtts.Description contains " with in the string. this i will look into. but setting just that one to a literal string it fails to write.
Ender157 24-Aug-23 12:36pm    
I got it to work, the issue wound up in the Select statement in the calling code.
Andre Oosthuizen 25-Aug-23 6:55am    
You're welcome, happy coding.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900