vb.net - How t insert a data to the database using query -
so have codes gets wrong syntax error.. dont know whats wrong can me?? im newbee in vb. programming
private sub button1_click(byval sender system.object, byval e system.eventargs) handles button1.click try dim sqlquery = "insert sample (firstname,middlename,lastname,gender,age,year level,date of birth,date enrolled,citezenship,religion,address,telephone no,average grade,father,fathers occupation,fathers address,mother,mothers occupation,mothers address,guardian,guardians address,family income,payed amount,balance) values ('" & txtfname.text & "','" & txtmname.text & "','" & txtlname.text & "','" & combosex.text & "','" & comboage.text & "','" & comboyear.text & "','" & txtdateofbirth.text & "','" & txtdateenrolling.text & "','" & txtcitezen.text & "','" & txtreligion.text & "','" & txtstudentadd.text & "','" & txtnumber.text & "','" & txtgrade.text & "','" & txtfather.text & "','" & txtfatherocc.text & "','" & txtfatheradd.text & "','" & txtmother.text & "','" & txtmotherocc.text & "','" & txtmotheradd.text & "','" & txtguardian.text & "','" & txtguardianadd.text & "','" & txtincome.text & "','" & txtpayment.text & "','" & textbox2.text & "')" dim sqlcommand new oledbcommand sqlcommand .commandtext = sqlquery .connection = conn .executenonquery() end msgbox("one record succesfull added") catch ex exception msgbox(ex.tostring) end try end sub
this most likely because of sql injection vulnerability you're exposing. notice how you're treating user input:
"... values ('" & txtfname.text & "', ..."
this may look you're putting data value in query, you're doing treating user input as executable code. user input database-reserved characters cause problems. example, if input value has single quote (such phrase "don't use sql injectable code"
) resulting query you're building is:
"... values ('don't use sql injectable code', ..."
naturally result in syntax error because there's t
after string literal, isn't valid sql.
instead of treating user input executable code, treat data values. use sql parameters add values query. this:
' replace each concatenated string parameter placeholder: dim sqlquery = "... values (@fname, ..." dim sqlcommand new oledbcommand sqlcommand .commandtext = sqlquery .connection = conn ' add parameter each placeholder: .parameters.addwithvalue("@fname", txtfname.text) .executenonquery() end
Comments
Post a Comment