strQuery = "insert into tblTransaction (DeliveryNo,Date,AccountNo,Carrier,Service,Status,Manifest,ManifestDate,MasterTracking,Tracking,xmlData) values('" + resxml.GetElementsByTagName("ShipmentID")(0).InnerText + "','" + mxml.GetElementsByTagName("ShipDate")(0).InnerText + "','" + mxml.GetElementsByTagName("AccountNumber")(0).InnerText + "','" + mxml.GetElementsByTagName("Carrier")(0).InnerText + "','" + mxml.GetElementsByTagName("ServiceType")(0).InnerText + "','" + mxml.GetElementsByTagName("Action")(0).InnerText + "','','','" + resxml.GetElementsByTagName("MasterTracking")(0).InnerText + "','" + myxmllist(0).SelectSingleNode("TrackingNumber").InnerText + "','" + mxml.InnerXml + "')"
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[
^]
SQL Injection[
^]
SQL Injection Attacks by Example[
^]
PHP: SQL Injection - Manual[
^]
SQL Injection Prevention Cheat Sheet - OWASP[
^]
Quote:
Ho do I insert XML into SQL server table
Once you use parameters, you insert XML strings exactly like any other strings, the contain do not matters.