0

I am trying to pass gridview data into database. The problem I am having is that not all data in my gridview is entering the database. Doing a messagebox shows only name column is going in. Here is my code 

Protected Sub Button2_Click1(sender As Object, e As EventArgs) Handles Button2.Click
    Dim sc As StringCollection = New StringCollection
    Dim field1 As String = String.Empty
    Dim i As Integer = 0
    Do While (i < GridView1.Rows.Count)
        field1 = GridView1.Rows(i).Cells(0).Text
        i = (i + 1)
    Loop
    ' get the  field to be Inserted
    sc.Add(field1)
    ' add the field to be Inserted in the StringCollection
    InsertRecords(sc)
    ' call method for insert and pass the StringCollection values

End Sub





Dim conn As MySqlConnection = New MySqlConnection("Server=****************;Database=******;Uid=*******;Pwd=****;allow user variables=true")
    Dim sb As StringBuilder = New StringBuilder(String.Empty)
    For Each item As String In sc
        Const sqlStatement As String = "INSERT INTO student(name, age, adress) VALUES ("
        sb.AppendFormat("{0}'{1}' ", sqlStatement, item)

    Next
    sb.Append(")")

    MsgBox(sb.ToString)

    Try
        conn.Open()
        Dim cmd As MySqlCommand = New MySqlCommand(sb.ToString, conn)
        cmd.CommandType = CommandType.Text
        cmd.ExecuteNonQuery()

    Catch ex As System.Data.SqlClient.SqlException
        Dim msg As String = "Insert Error:"
        msg = (msg + ex.Message)
        Throw New Exception(msg)
    Finally
        conn.Close()
    End Try
End Sub
Improve this question
10
  • Don't concatenate strings to create a sql command but use parameters. Commented Oct 18, 2012 at 11:17
  • Could you please show example Commented Oct 18, 2012 at 11:18
  • What is sc and where's your code which executes the command? Commented Oct 18, 2012 at 11:19
  • Tim I have just updated my code Commented Oct 18, 2012 at 11:23
  • Yes, but again, what is sc? Commented Oct 18, 2012 at 11:28

1 Answer 1

Reset to default
1

Don't concatenate strings to create a sql command but use parameters to primarily avoid sql-injection.

Const sqlStatement As String = "INSERT INTO student(name, age, adress) VALUES (?Pname,?Page,?Padress)"
Try
    Using con = New MySqlConnection(connectionString)
        con.Open()
        For Each item In sc
            Using cmd = New MySqlCommand(sqlStatement, con)
                cmd.Parameters.AddWithValue("?Pname", item.Name)
                cmd.Parameters.AddWithValue("?Page", item.Page)
                cmd.Parameters.AddWithValue("?Padress", item.Padress)
                cmd.ExecuteNonQuery()
            End Using
        Next
    End Using
Catch ex As System.Data.SqlClient.SqlException
    ' log message '
    Throw ' don't use throw new Exception or throw ex '
End Try

Note that i've used sc like a collection of a custom class with all needed properties. But even if that was not correct, it should give you an idea how it works.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

@Steve: And i've forgotten to add my sql statement ;)
Thanks guys Im going to give that a go. Its really appreciated!!
The problem i now get is the Pname in the paramater section is not a member of a string
@user1712552: Then you should tell me what type it is. You can convert it, for example to int: int.Parse(stringValue) etc.
I dont understand . This is what im doing cmd.Parameters.AddWithValue("?Pname", item.name) Now when I bang that in Im getting error there is a blue line under item.name. When hovering mouse over it is says 'name' is not a member of 'String'.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.