12

I have this code to update my SQL database from data in a textbox, in VB. I need to use parameters in case the text contains a tic mark ,', or a quote ,", etc. Here is what I have:

dbConn = New SqlConnection("server=.\SQLEXPRESS;Integrated Security=SSPI; database=FATP")
    dbConn.Open()

    MyCommand = New SqlCommand("UPDATE SeansMessage SET Message = '" & TicBoxText.Text & _
                                            "'WHERE Number = 1", dbConn)

    MyDataReader = MyCommand.ExecuteReader()
    MyDataReader.Close()
    dbConn.Close()

And this is my lame attempt to set a parameter from what I have seen on the web, which I don't understand all that well.

dbConn = New SqlConnection("server=.\SQLEXPRESS;Integrated Security=SSPI; database=FATP")
    dbConn.Open()

    MyCommand = New SqlCommand("UPDATE SeansMessage SET Message = @'" & TicBoxText.Text & _
                                            "'WHERE Number = 1", dbConn)

    MyDataReader = MyCommand.ExecuteReader()
    MyDataReader.Close()
    dbConn.Close()

How do you do this? Cause if there is a ' mark in the textbox when I run the code, it crashes.

Improve this question
2

2 Answers 2

Reset to default
32

You are on the right path to avoiding Bobby Tables, but your understanding of @ parameters is incomplete.

Named parameters behave like variables in a programming language: first, you use them in your SQL command, and then you supply their value in your VB.NET or C# program, like this:

MyCommand = New SqlCommand("UPDATE SeansMessage SET Message = @TicBoxText WHERE Number = 1", dbConn)
MyCommand.Parameters.AddWithValue("@TicBoxText", TicBoxText.Text)

Note how the text of your command became self-contained: it no longer depends on the value of the text from the text box, so the users cannot break your SQL by inserting their own command. @TicBoxText became a name of the variable that stands for the value in the text of the command; the call to AddWithValue supplies the value. After that, your ExecuteReader is ready to go.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Not a fan of the AddWithValue() method. Sometimes it guesses the parameter type wrong (ie: dates, varchar vs nvarchar), and sometimes when that happens the query no longer lines up with an index that it should, resulting in sometimes drastic performance problems.
@JoelCoehoorn Me neither, but that's the fastest way to get things going.
Thanks, that makes more sense for my purposes.
13

There are a number of improvements in here:

Using dbConn As New SqlConnection("server=.\SQLEXPRESS;Integrated Security=SSPI; database=FATP"), _
      MyCommand As SqlCommand("UPDATE SeansMessage SET Message = @Message WHERE Number = 1", dbConn)

    'Make sure to use your exact DbType (ie: VarChar vs NVarChar) and size
    MyCommand.Parameters.Add("@Message", SqlDbType.VarChar).Value = TicBoxText.Text

    dbConn.Open()
    MyCommand.ExecuteNonQuery() ' don't open a data reader: just use ExecuteNonQuery
End Using 'Using block will close the connection for you
Improve this answer

2 Comments

What are these improvements of which there are a number?
@PsychoData Correctly close the connection in case an exception is thrown, use query parameters, executenonquery() instead of executereader, explicit parameter type instead of inferred

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.