Click here to Skip to main content
13,000,324 members (74,724 online)
Rate this:
Please Sign up or sign in to vote.
Hi how can I change this

str = "UPDATE tblClientes SET Nombre = @NOM WHERE NumId=@NI"
Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
commando.Parameters.AddWithValue("@NOM", txtNombre.Text)
commando.Parameters.AddWithValue("@NI" txtNumID.Text)

but to use it with sql server

Posted 7-Mar-13 13:18pm
ThePhantomUpvoter 7-Mar-13 19:20pm
Use SqlCommand instead of OleDbCommand
Joel Sosa Rivera 7-Mar-13 19:24pm

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Firstly, never ever, ever, ever... write a SQL query into a string like that.
You are opening yourself up for a SQL Injection Attack if someone decides to write some code that appends to the string - read up on it if you don't know what this means.
I know in this case you are using parameters but this will not protect you if someone gets lazy in the code.

Use stored procedures and parameters as below:

Private ConnectionObj As New SqlConnection
ConnectionObj.ConnectionString = "Data Source=ServerName;Initial Catalog=DatabaseName;Integrated Security=True"

Dim SQLAdaptorObj As New SqlDataAdapter
Dim SqlCommandObj = New SqlCommand("a_stored_procedure", ConnectionObj)
SqlCommandObj.Parameters.Add("@year", SqlDbType.Int).Value = year
SqlCommandObj.Parameters.Add("@age", SqlDbType.Int).Value = age
SqlCommandObj.CommandType = CommandType.StoredProcedure
Dim DataTableObj As New DataTable

SQLAdaptorObj.SelectCommand = SqlCommandObj



This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Mobile
Web02 | 2.8.170624.1 | Last Updated 8 Mar 2013
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100