Prev: rundll errors
Next: CD will not eject
From: bill on 19 Jul 2008 15:11
Can someone please show me an example of passing a string value into an sql
statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill


From: Miro on 19 Jul 2008 16:13
I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Database-ADO.net/PassParameterintoSQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you, then
you are ok. But if the user generates the data within the combo box - then
be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql-injection-attacks-safe ( at page 2 you
will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.


Hope this helps.

Miro



"bill" <bill(a)bottlegarden.com> wrote in message
news:uau6HNd6IHA.3512(a)TK2MSFTNGP02.phx.gbl...
> Can someone please show me an example of passing a string value into an
> sql statement in vb 2005? Something like this is what I'm after:
> Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
> Me.cboAsset.Text"
>
> Thank you,
>
> Bill
>
>

From: bill on 19 Jul 2008 18:25
Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <miro(a)beero.com> wrote in message
news:eiTfevd6IHA.1196(a)TK2MSFTNGP05.phx.gbl...
>I beleive this is what you are looking for (did some googling)-
>
> Take a look at this link:
> http://www.java2s.com/Code/VB/Database-ADO.net/PassParameterintoSQLcommand.htm
>
> and look at the line that says:
> cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
> "Joe"
>
> take note of the @fn which is in the line above:
> Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
> FirstName = @fn", con)
>
> you DO NOT want to do
>
> "Select * from Employee where FirstName = " + Text1.Text
>
> You might be using a Combo Box. If your combo box is generated by you,
> then you are ok. But if the user generates the data within the combo
> box - then be careful....
>
> because of SQL injections.
> Skim this article:
> http://www.sitepoint.com/article/sql-injection-attacks-safe ( at page 2
> you will see the basic reason )
> or by the middle of this article:
> http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>
> basically someone can execute sql within your sql and change your data /
> bypass your security / delete your data.
>
>
> Hope this helps.
>
> Miro
>
>
>
> "bill" <bill(a)bottlegarden.com> wrote in message
> news:uau6HNd6IHA.3512(a)TK2MSFTNGP02.phx.gbl...
>> Can someone please show me an example of passing a string value into an
>> sql statement in vb 2005? Something like this is what I'm after:
>> Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
>> Me.cboAsset.Text"
>>
>> Thank you,
>>
>> Bill
>>
>>
>


From: Miro on 20 Jul 2008 10:22
It is your own variable / parameter holder ( as long as it starts with the
@ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bill(a)bottlegarden.com> wrote in message
news:usOac5e6IHA.4468(a)TK2MSFTNGP02.phx.gbl...
> Thank you for your reply. Can you explain to me what this is since it
> doesn't apprear to be an assigned variable name? I haven't seen this
> before. "@fn"
> Thank you!
> Bill
>
> "Miro" <miro(a)beero.com> wrote in message
> news:eiTfevd6IHA.1196(a)TK2MSFTNGP05.phx.gbl...
>>I beleive this is what you are looking for (did some googling)-
>>
>> Take a look at this link:
>> http://www.java2s.com/Code/VB/Database-ADO.net/PassParameterintoSQLcommand.htm
>>
>> and look at the line that says:
>> cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
>> = "Joe"
>>
>> take note of the @fn which is in the line above:
>> Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
>> FirstName = @fn", con)
>>
>> you DO NOT want to do
>>
>> "Select * from Employee where FirstName = " + Text1.Text
>>
>> You might be using a Combo Box. If your combo box is generated by you,
>> then you are ok. But if the user generates the data within the combo
>> box - then be careful....
>>
>> because of SQL injections.
>> Skim this article:
>> http://www.sitepoint.com/article/sql-injection-attacks-safe ( at page 2
>> you will see the basic reason )
>> or by the middle of this article:
>> http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>
>> basically someone can execute sql within your sql and change your data /
>> bypass your security / delete your data.
>>
>>
>> Hope this helps.
>>
>> Miro
>>
>>
>>
>> "bill" <bill(a)bottlegarden.com> wrote in message
>> news:uau6HNd6IHA.3512(a)TK2MSFTNGP02.phx.gbl...
>>> Can someone please show me an example of passing a string value into an
>>> sql statement in vb 2005? Something like this is what I'm after:
>>> Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
>>> Me.cboAsset.Text"
>>>
>>> Thank you,
>>>
>>> Bill
>>>
>>>
>>
>
>

From: bill on 20 Jul 2008 12:09
Excellent! Thank you very much for taking the time to explain. I didn't
see it declared and was thinking maybe it was some kind of new built in
function. Thank you!
Bill

"Miro" <miro(a)beero.com> wrote in message
news:O5O$FQn6IHA.1196(a)TK2MSFTNGP05.phx.gbl...
> It is your own variable / parameter holder ( as long as it starts with the
> @ ) symbol.
>
> You can name it @bill
> If you have multiple parameters then they all must be unique in the
> statement.
>
> example: Select * from @bla where @bill = @miro
>
> therefore It would expect me to add 3 parameters via the
> cmd.Parameters.Add
>
> one for @bla, one for @bill and one for @miro
>
> Miro
>
> "bill" <bill(a)bottlegarden.com> wrote in message
> news:usOac5e6IHA.4468(a)TK2MSFTNGP02.phx.gbl...
>> Thank you for your reply. Can you explain to me what this is since it
>> doesn't apprear to be an assigned variable name? I haven't seen this
>> before. "@fn"
>> Thank you!
>> Bill
>>
>> "Miro" <miro(a)beero.com> wrote in message
>> news:eiTfevd6IHA.1196(a)TK2MSFTNGP05.phx.gbl...
>>>I beleive this is what you are looking for (did some googling)-
>>>
>>> Take a look at this link:
>>> http://www.java2s.com/Code/VB/Database-ADO.net/PassParameterintoSQLcommand.htm
>>>
>>> and look at the line that says:
>>> cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
>>> = "Joe"
>>>
>>> take note of the @fn which is in the line above:
>>> Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
>>> WHERE FirstName = @fn", con)
>>>
>>> you DO NOT want to do
>>>
>>> "Select * from Employee where FirstName = " + Text1.Text
>>>
>>> You might be using a Combo Box. If your combo box is generated by you,
>>> then you are ok. But if the user generates the data within the combo
>>> box - then be careful....
>>>
>>> because of SQL injections.
>>> Skim this article:
>>> http://www.sitepoint.com/article/sql-injection-attacks-safe ( at page 2
>>> you will see the basic reason )
>>> or by the middle of this article:
>>> http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>>
>>> basically someone can execute sql within your sql and change your data /
>>> bypass your security / delete your data.
>>>
>>>
>>> Hope this helps.
>>>
>>> Miro
>>>
>>>
>>>
>>> "bill" <bill(a)bottlegarden.com> wrote in message
>>> news:uau6HNd6IHA.3512(a)TK2MSFTNGP02.phx.gbl...
>>>> Can someone please show me an example of passing a string value into an
>>>> sql statement in vb 2005? Something like this is what I'm after:
>>>> Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
>>>> Me.cboAsset.Text"
>>>>
>>>> Thank you,
>>>>
>>>> Bill
>>>>
>>>>
>>>
>>
>>
>


 |  Next  |  Last
Pages: 1 2 3
Prev: rundll errors
Next: CD will not eject