Click here to Skip to main content
15,997,856 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
This Query is written in Add button and m using ODBC connection. i need to add check box value into one column in database table ie. designation. the below cade is giving an error.
I am a beginner so i want full explanation pls.
Dim con As New Odbc.OdbcConnection("dsn=dem;uid=root;pwd=root")

Dim str As String


Private Sub btnadd_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnadd.Click
If chkincharge.Checked Then
a = chkincharge.Text.ToString
ElseIf chkadditionalincharge.Checked Then
b = chkadditionalincharge.Text.ToString
ElseIf chkmember.Checked Then
c = chkmember.Text.ToString


End If

con.Open()
Dim cmd As New Odbc.OdbcCommand("insert into checkbox values('" + DateTimePicker1.Value.Date.ToString("yyyy/mm/dd") + "','" + cmbcommitteename.Text + "','" + cmbmembers.Text + "','" + a + "','" + b + "','" + c + "')", con)
cmd.ExecuteNonQuery()
con.Close()
MsgBox("Record added successfully")
'txteventtitle.Text = ""
'rchdescription.Text = ""
'DateTimePicker1.Text = Date.Now






End Sub


thank u in advance
Posted

1 solution

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
VB
Dim cmd As New Odbc.OdbcCommand("INSERT INTO checkbox VALUES(@DT, @CN, @MB, @A, @B, @C)", con)
cmd.Parameters.AddWithValue("@DT", DateTimePicker1.Value.Date)
cmd.Parameters.AddWithValue("@CN", cmbcommitteename.Text)
cmd.Parameters.AddWithValue("@MB", cmbmembers.Text)
cmd.Parameters.AddWithValue("@A", a)
cmd.Parameters.AddWithValue("@B", b)
cmd.Parameters.AddWithValue("@C", c)
cmd.ExecuteNonQuery()
con.Close()


And name your fields! If you don't, then you are risking problems if a column is added or removed.
 
Share this answer
 
Comments
Shraddha Shikerkar 25-Apr-13 4:30am    
i tired this code before . but it is nt working .. it ws giving a prob in cmd.executenonquery()
OriginalGriff 25-Apr-13 4:40am    
And what's the problem? What error did you get?
Shraddha Shikerkar 25-Apr-13 4:46am    
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''04/01/13'' at line 1

this is wt m getting..
OriginalGriff 25-Apr-13 5:01am    
No, that's the error you got with your original version.
Did you try the version I suggested?
Shraddha Shikerkar 26-Apr-13 3:08am    
yes m trying ... ill see the result.
I have one another query.
And it is :
i have fields on my forms are title , description and calender..
and in the table have this three fields along with one primary key which is auto generated..
So nw say if i want to search and delete particular record it should not delete other data.. as i ll search a record on title and calender basis..
and both of this fields are not primary key.
What is the solution for this??

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900