vb.net - How t insert a data to the database using query -


so have codes gets wrong syntax error.. dont know whats wrong can me?? im newbee in vb. programming

private sub button1_click(byval sender system.object, byval e system.eventargs) handles button1.click       try         dim sqlquery = "insert sample (firstname,middlename,lastname,gender,age,year level,date of birth,date enrolled,citezenship,religion,address,telephone no,average grade,father,fathers occupation,fathers address,mother,mothers occupation,mothers address,guardian,guardians address,family income,payed amount,balance) values ('" & txtfname.text & "','" & txtmname.text & "','" & txtlname.text & "','" & combosex.text & "','" & comboage.text & "','" & comboyear.text & "','" & txtdateofbirth.text & "','" & txtdateenrolling.text & "','" & txtcitezen.text & "','" & txtreligion.text & "','" & txtstudentadd.text & "','" & txtnumber.text & "','" & txtgrade.text & "','" & txtfather.text & "','" & txtfatherocc.text & "','" & txtfatheradd.text & "','" & txtmother.text & "','" & txtmotherocc.text & "','" & txtmotheradd.text & "','" & txtguardian.text & "','" & txtguardianadd.text & "','" & txtincome.text & "','" & txtpayment.text & "','" & textbox2.text & "')"         dim sqlcommand new oledbcommand         sqlcommand             .commandtext = sqlquery             .connection = conn             .executenonquery()         end         msgbox("one record succesfull added")      catch ex exception         msgbox(ex.tostring)     end try end sub 

this most likely because of sql injection vulnerability you're exposing. notice how you're treating user input:

"... values ('" & txtfname.text & "', ..." 

this may look you're putting data value in query, you're doing treating user input as executable code. user input database-reserved characters cause problems. example, if input value has single quote (such phrase "don't use sql injectable code") resulting query you're building is:

"... values ('don't use sql injectable code', ..." 

naturally result in syntax error because there's t after string literal, isn't valid sql.

instead of treating user input executable code, treat data values. use sql parameters add values query. this:

' replace each concatenated string parameter placeholder: dim sqlquery = "... values (@fname, ..."  dim sqlcommand new oledbcommand sqlcommand     .commandtext = sqlquery     .connection = conn      ' add parameter each placeholder:     .parameters.addwithvalue("@fname", txtfname.text)      .executenonquery() end 

Comments

Popular posts from this blog

php - regexp cyrillic filename not matches -

c# - OpenXML hanging while writing elements -

sql - Select Query has unexpected multiple records (MS Access) -