473,236 Members | 1,549 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,236 software developers and data experts.

Pass a parameter in sql statement with VB 2005...

Can someone please show me an example of passing a string value into an sql
statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill
Jul 19 '08 #1
14 1837
I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you, then
you are ok. But if the user generates the data within the combo box - then
be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2 you
will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...
Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill

Jul 19 '08 #2
Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
>I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2
you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...
>Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill


Jul 19 '08 #3
It is your own variable / parameter holder ( as long as it starts with the
@ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
>>I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
= "Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2
you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...
>>Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill


Jul 20 '08 #4
Excellent! Thank you very much for taking the time to explain. I didn't
see it declared and was thinking maybe it was some kind of new built in
function. Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
It is your own variable / parameter holder ( as long as it starts with the
@ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
>Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
>>>I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
= "Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2
you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...
Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill


Jul 20 '08 #5
Can this be used with MS access by just changing the connection string or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
It is your own variable / parameter holder ( as long as it starts with the
@ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
>Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
>>>I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
= "Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page 2
you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data /
bypass your security / delete your data.
Hope this helps.

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...
Can someone please show me an example of passing a string value into an
sql statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"

Thank you,

Bill


Jul 20 '08 #6
Ya, I need adodb so this probably won't work with an access database right?
I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl...
Can this be used with MS access by just changing the connection string or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
>It is your own variable / parameter holder ( as long as it starts with
the @ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
>>Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
I beleive this is what you are looking for (did some googling)-

Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm

and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
10)).Value = "Joe"

take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", con)

you DO NOT want to do

"Select * from Employee where FirstName = " + Text1.Text

You might be using a Combo Box. If your combo box is generated by you,
then you are ok. But if the user generates the data within the combo
box - then be careful....

because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page
2 you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx

basically someone can execute sql within your sql and change your data
/ bypass your security / delete your data.
Hope this helps.

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl...
Can someone please show me an example of passing a string value into
an sql statement in vb 2005? Something like this is what I'm after:
Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
Me.cboAsset.Text"
>
Thank you,
>
Bill
>
>


Jul 20 '08 #7
I'm thinking something like this but I get stuck:
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", Con)

cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl...
Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl...
>Can this be used with MS access by just changing the connection string or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
>>It is your own variable / parameter holder ( as long as it starts with
the @ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
>I beleive this is what you are looking for (did some googling)-
>
Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>
and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
10)).Value = "Joe"
>
take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", con)
>
you DO NOT want to do
>
"Select * from Employee where FirstName = " + Text1.Text
>
You might be using a Combo Box. If your combo box is generated by
you, then you are ok. But if the user generates the data within the
combo box - then be careful....
>
because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page
2 you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>
basically someone can execute sql within your sql and change your data
/ bypass your security / delete your data.
>
>
Hope this helps.
>
Miro
>
>
>
"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl.. .
>Can someone please show me an example of passing a string value into
>an sql statement in vb 2005? Something like this is what I'm after:
>Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
>Me.cboAsset.Text"
>>
>Thank you,
>>
>Bill
>>
>>
>



Jul 20 '08 #8
I have only been reading up on Sql Express - sorry I have no experience with
..net and access tables.

but yes I do beleive you can do parameters for access. I dont see why you
would not be as that would be a pretty big hole if you could not for
security reasons.

http://www.vbdotnetforums.com/showthread.php?t=36
and
http://msdn.microsoft.com/en-us/libr...parameter.aspx

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl...
Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl...
>Can this be used with MS access by just changing the connection string or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
>>It is your own variable / parameter holder ( as long as it starts with
the @ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill

"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl...
>I beleive this is what you are looking for (did some googling)-
>
Take a look at this link:
http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>
and look at the line that says:
cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
10)).Value = "Joe"
>
take note of the @fn which is in the line above:
Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", con)
>
you DO NOT want to do
>
"Select * from Employee where FirstName = " + Text1.Text
>
You might be using a Combo Box. If your combo box is generated by
you, then you are ok. But if the user generates the data within the
combo box - then be careful....
>
because of SQL injections.
Skim this article:
http://www.sitepoint.com/article/sql...n-attacks-safe ( at page
2 you will see the basic reason )
or by the middle of this article:
http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>
basically someone can execute sql within your sql and change your data
/ bypass your security / delete your data.
>
>
Hope this helps.
>
Miro
>
>
>
"bill" <bi**@bottlegarden.comwrote in message
news:ua**************@TK2MSFTNGP02.phx.gbl.. .
>Can someone please show me an example of passing a string value into
>an sql statement in vb 2005? Something like this is what I'm after:
>Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
>Me.cboAsset.Text"
>>
>Thank you,
>>
>Bill
>>
>>
>


Jul 20 '08 #9
When using an OleDbCommand you should not use a SqlParmeter, as that
is for SQL Server. Use OleParameter instead.

How are you stuck?

On Sun, 20 Jul 2008 12:26:41 -0600, "bill" <bi**@bottlegarden.com>
wrote:
>I'm thinking something like this but I get stuck:
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM Employee
WHERE FirstName = @fn", Con)

cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl...
>Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl...
>>Can this be used with MS access by just changing the connection string or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
It is your own variable / parameter holder ( as long as it starts with
the @ ) symbol.

You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.

example: Select * from @bla where @bill = @miro

therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add

one for @bla, one for @bill and one for @miro

Miro

"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl...
Thank you for your reply. Can you explain to me what this is since it
doesn't apprear to be an assigned variable name? I haven't seen this
before. "@fn"
Thank you!
Bill
>
"Miro" <mi**@beero.comwrote in message
news:ei**************@TK2MSFTNGP05.phx.gbl.. .
>>I beleive this is what you are looking for (did some googling)-
>>
>Take a look at this link:
>http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>>
>and look at the line that says:
>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>10)).Value = "Joe"
>>
>take note of the @fn which is in the line above:
>Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
>WHERE FirstName = @fn", con)
>>
>you DO NOT want to do
>>
>"Select * from Employee where FirstName = " + Text1.Text
>>
>You might be using a Combo Box. If your combo box is generated by
>you, then you are ok. But if the user generates the data within the
>combo box - then be careful....
>>
>because of SQL injections.
>Skim this article:
>http://www.sitepoint.com/article/sql...n-attacks-safe ( at page
>2 you will see the basic reason )
>or by the middle of this article:
>http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>
>basically someone can execute sql within your sql and change your data
>/ bypass your security / delete your data.
>>
>>
>Hope this helps.
>>
>Miro
>>
>>
>>
>"bill" <bi**@bottlegarden.comwrote in message
>news:ua**************@TK2MSFTNGP02.phx.gbl. ..
>>Can someone please show me an example of passing a string value into
>>an sql statement in vb 2005? Something like this is what I'm after:
>>Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag =
>>Me.cboAsset.Text"
>>>
>>Thank you,
>>>
>>Bill
>>>
>>>
>>
>
>

Jul 20 '08 #10
This is what I've got so far...thank you. I get stuck on the line before
the "Try" line. Cmd.Parameters.Add(New
oldDB.oldDBParameter("@fn",oledb.??????????
I think the rest is fine?
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim Cmd As New OleDb.OleDbCommand("SELECT * from tblAssets where asset_tag =
@fn", Con)

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn",oledb.oel)

Try

Con.Open()

Dim reader As OleDb.OleDbDataReader = Cmd.ExecuteReader()

While reader.Read()

Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

End While

reader.Close()

Finally

Con.Close()

End Try

"Jack Jackson" <jj******@cinnovations.netwrote in message
news:dg********************************@4ax.com...
When using an OleDbCommand you should not use a SqlParmeter, as that
is for SQL Server. Use OleParameter instead.

How are you stuck?

On Sun, 20 Jul 2008 12:26:41 -0600, "bill" <bi**@bottlegarden.com>
wrote:
>>I'm thinking something like this but I get stuck:
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM
Employee
WHERE FirstName = @fn", Con)

cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl...
>>Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl.. .
Can this be used with MS access by just changing the connection string
or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
It is your own variable / parameter holder ( as long as it starts with
the @ ) symbol.
>
You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.
>
example: Select * from @bla where @bill = @miro
>
therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add
>
one for @bla, one for @bill and one for @miro
>
Miro
>
"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl.. .
>Thank you for your reply. Can you explain to me what this is since
>it
>doesn't apprear to be an assigned variable name? I haven't seen this
>before. "@fn"
>Thank you!
>Bill
>>
>"Miro" <mi**@beero.comwrote in message
>news:ei**************@TK2MSFTNGP05.phx.gbl. ..
>>>I beleive this is what you are looking for (did some googling)-
>>>
>>Take a look at this link:
>>http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>>>
>>and look at the line that says:
>>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>>10)).Value = "Joe"
>>>
>>take note of the @fn which is in the line above:
>>Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
>>WHERE FirstName = @fn", con)
>>>
>>you DO NOT want to do
>>>
>>"Select * from Employee where FirstName = " + Text1.Text
>>>
>>You might be using a Combo Box. If your combo box is generated by
>>you, then you are ok. But if the user generates the data within the
>>combo box - then be careful....
>>>
>>because of SQL injections.
>>Skim this article:
>>http://www.sitepoint.com/article/sql...n-attacks-safe ( at
>>page
>>2 you will see the basic reason )
>>or by the middle of this article:
>>http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>>
>>basically someone can execute sql within your sql and change your
>>data
>>/ bypass your security / delete your data.
>>>
>>>
>>Hope this helps.
>>>
>>Miro
>>>
>>>
>>>
>>"bill" <bi**@bottlegarden.comwrote in message
>>news:ua**************@TK2MSFTNGP02.phx.gbl.. .
>>>Can someone please show me an example of passing a string value
>>>into
>>>an sql statement in vb 2005? Something like this is what I'm
>>>after:
>>>Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag
>>>=
>>>Me.cboAsset.Text"
>>>>
>>>Thank you,
>>>>
>>>Bill
>>>>
>>>>
>>>
>>
>>
>


Jul 20 '08 #11
I think this is it:
'Dim Con = New SqlConnection("Server=(local)\SQLEXPRESS;Initial
Catalog=MyDatabase;Integrated Security=SSPI")

Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

'Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

Dim Cmd As New OleDb.OleDbCommand("SELECT * from tblAssets where asset_tag =
@fn", Con)

'cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn", OleDb.OleDbType.VarChar,
30)).Value = "Joe"

Try

Con.Open()

Dim reader As OleDb.OleDbDataReader = Cmd.ExecuteReader()

While reader.Read()

Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

End While

reader.Close()

Finally

Con.Close()

End Try

Does that look correct?

"Jack Jackson" <jj******@cinnovations.netwrote in message
news:dg********************************@4ax.com...
When using an OleDbCommand you should not use a SqlParmeter, as that
is for SQL Server. Use OleParameter instead.

How are you stuck?

On Sun, 20 Jul 2008 12:26:41 -0600, "bill" <bi**@bottlegarden.com>
wrote:
>>I'm thinking something like this but I get stuck:
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM
Employee
WHERE FirstName = @fn", Con)

cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value =
"Joe"

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl...
>>Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl.. .
Can this be used with MS access by just changing the connection string
or
are they only SQL server specific?

"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl...
It is your own variable / parameter holder ( as long as it starts with
the @ ) symbol.
>
You can name it @bill
If you have multiple parameters then they all must be unique in the
statement.
>
example: Select * from @bla where @bill = @miro
>
therefore It would expect me to add 3 parameters via the
cmd.Parameters.Add
>
one for @bla, one for @bill and one for @miro
>
Miro
>
"bill" <bi**@bottlegarden.comwrote in message
news:us**************@TK2MSFTNGP02.phx.gbl.. .
>Thank you for your reply. Can you explain to me what this is since
>it
>doesn't apprear to be an assigned variable name? I haven't seen this
>before. "@fn"
>Thank you!
>Bill
>>
>"Miro" <mi**@beero.comwrote in message
>news:ei**************@TK2MSFTNGP05.phx.gbl. ..
>>>I beleive this is what you are looking for (did some googling)-
>>>
>>Take a look at this link:
>>http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>>>
>>and look at the line that says:
>>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>>10)).Value = "Joe"
>>>
>>take note of the @fn which is in the line above:
>>Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
>>WHERE FirstName = @fn", con)
>>>
>>you DO NOT want to do
>>>
>>"Select * from Employee where FirstName = " + Text1.Text
>>>
>>You might be using a Combo Box. If your combo box is generated by
>>you, then you are ok. But if the user generates the data within the
>>combo box - then be careful....
>>>
>>because of SQL injections.
>>Skim this article:
>>http://www.sitepoint.com/article/sql...n-attacks-safe ( at
>>page
>>2 you will see the basic reason )
>>or by the middle of this article:
>>http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>>
>>basically someone can execute sql within your sql and change your
>>data
>>/ bypass your security / delete your data.
>>>
>>>
>>Hope this helps.
>>>
>>Miro
>>>
>>>
>>>
>>"bill" <bi**@bottlegarden.comwrote in message
>>news:ua**************@TK2MSFTNGP02.phx.gbl.. .
>>>Can someone please show me an example of passing a string value
>>>into
>>>an sql statement in vb 2005? Something like this is what I'm
>>>after:
>>>Dim sqlButton1 As String = "Select * from tblAssets where Asset_Tag
>>>=
>>>Me.cboAsset.Text"
>>>>
>>>Thank you,
>>>>
>>>Bill
>>>>
>>>>
>>>
>>
>>
>


Jul 20 '08 #12
I'm not sure what this line means:
'Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

So to assign say a dataview grid to this set of records is it just

Me.DataGridView1.DataSource = reader because I don't get anything back with
that?

"bill" <bi**@bottlegarden.comwrote in message
news:u9**************@TK2MSFTNGP05.phx.gbl...
>I think this is it:
'Dim Con = New SqlConnection("Server=(local)\SQLEXPRESS;Initial
Catalog=MyDatabase;Integrated Security=SSPI")

Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

'Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

Dim Cmd As New OleDb.OleDbCommand("SELECT * from tblAssets where asset_tag
= @fn", Con)

'cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
= "Joe"

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn",
OleDb.OleDbType.VarChar, 30)).Value = "Joe"

Try

Con.Open()

Dim reader As OleDb.OleDbDataReader = Cmd.ExecuteReader()

While reader.Read()

Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

End While

reader.Close()

Finally

Con.Close()

End Try

Does that look correct?

"Jack Jackson" <jj******@cinnovations.netwrote in message
news:dg********************************@4ax.com...
>When using an OleDbCommand you should not use a SqlParmeter, as that
is for SQL Server. Use OleParameter instead.

How are you stuck?

On Sun, 20 Jul 2008 12:26:41 -0600, "bill" <bi**@bottlegarden.com>
wrote:
>>>I'm thinking something like this but I get stuck:
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM
Employee
WHERE FirstName = @fn", Con)

cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
=
"Joe"

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl...
Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.

"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl. ..
Can this be used with MS access by just changing the connection string
or
are they only SQL server specific?
>
"Miro" <mi**@beero.comwrote in message
news:O5**************@TK2MSFTNGP05.phx.gbl.. .
>It is your own variable / parameter holder ( as long as it starts
>with
>the @ ) symbol.
>>
>You can name it @bill
>If you have multiple parameters then they all must be unique in the
>statement.
>>
>example: Select * from @bla where @bill = @miro
>>
>therefore It would expect me to add 3 parameters via the
>cmd.Parameters.Add
>>
>one for @bla, one for @bill and one for @miro
>>
>Miro
>>
>"bill" <bi**@bottlegarden.comwrote in message
>news:us**************@TK2MSFTNGP02.phx.gbl. ..
>>Thank you for your reply. Can you explain to me what this is since
>>it
>>doesn't apprear to be an assigned variable name? I haven't seen
>>this
>>before. "@fn"
>>Thank you!
>>Bill
>>>
>>"Miro" <mi**@beero.comwrote in message
>>news:ei**************@TK2MSFTNGP05.phx.gbl.. .
>>>>I beleive this is what you are looking for (did some googling)-
>>>>
>>>Take a look at this link:
>>>http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>>>>
>>>and look at the line that says:
>>>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>>>10)).Value = "Joe"
>>>>
>>>take note of the @fn which is in the line above:
>>>Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
>>>WHERE FirstName = @fn", con)
>>>>
>>>you DO NOT want to do
>>>>
>>>"Select * from Employee where FirstName = " + Text1.Text
>>>>
>>>You might be using a Combo Box. If your combo box is generated by
>>>you, then you are ok. But if the user generates the data within
>>>the
>>>combo box - then be careful....
>>>>
>>>because of SQL injections.
>>>Skim this article:
>>>http://www.sitepoint.com/article/sql...n-attacks-safe ( at
>>>page
>>>2 you will see the basic reason )
>>>or by the middle of this article:
>>>http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>>>
>>>basically someone can execute sql within your sql and change your
>>>data
>>>/ bypass your security / delete your data.
>>>>
>>>>
>>>Hope this helps.
>>>>
>>>Miro
>>>>
>>>>
>>>>
>>>"bill" <bi**@bottlegarden.comwrote in message
>>>news:ua**************@TK2MSFTNGP02.phx.gbl. ..
>>>>Can someone please show me an example of passing a string value
>>>>into
>>>>an sql statement in vb 2005? Something like this is what I'm
>>>>after:
>>>>Dim sqlButton1 As String = "Select * from tblAssets where
>>>>Asset_Tag =
>>>>Me.cboAsset.Text"
>>>>>
>>>>Thank you,
>>>>>
>>>>Bill
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>


Jul 20 '08 #13
On Sun, 20 Jul 2008 17:33:50 -0600, "bill" <bi**@bottlegarden.com>
wrote:
>I'm not sure what this line means:
'Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))
Console.WriteLine takes a format string. See String.Format for more
information. The numbers in braces are parameter numbers. In the
code above, {0} is replaced by the next parameter, reader.GetString(0)
(the value of column 0) and {1} by reader.GetString(1) (the value of
column 1).
>So to assign say a dataview grid to this set of records is it just

Me.DataGridView1.DataSource = reader because I don't get anything back with
that?
No. A DataReader supplies one row each time. For more information on
this see
<http://msdn.microsoft.com/en-us/library/haa3afyz(VS.71).aspx>.

The DataGridView.DataSource property takes some kind of list. You
must iterate through the DataReader and populate some kind of list. A
good one to use is BindingList(Of T), as that supplies a lot of
functionality that is useful when binding controls to a list.

However since you are just getting started with VB .NET, it might be
easier for you to create a DataSet from the DataReader using a
DataAdapter, and bind the DataGridView to the DataSet's DataTable.
Here is some information about this
<http://msdn.microsoft.com/en-us/library/bh8kx08z.aspx>

By using Google you should be able to find more examples.

Also, it is probably not necessary to specify the data type on the
Parameters.Add call. I know it is not necessary with SQL Server, but
I'm not sure about OleDB. You probably can just use:

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn", "Joe"))

>"bill" <bi**@bottlegarden.comwrote in message
news:u9**************@TK2MSFTNGP05.phx.gbl...
>>I think this is it:
'Dim Con = New SqlConnection("Server=(local)\SQLEXPRESS;Initial
Catalog=MyDatabase;Integrated Security=SSPI")

Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

'Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee WHERE
FirstName = @fn", con)

Dim Cmd As New OleDb.OleDbCommand("SELECT * from tblAssets where asset_tag
= @fn", Con)

'cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
= "Joe"

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn",
OleDb.OleDbType.VarChar, 30)).Value = "Joe"

Try

Con.Open()

Dim reader As OleDb.OleDbDataReader = Cmd.ExecuteReader()

While reader.Read()

Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

End While

reader.Close()

Finally

Con.Close()

End Try

Does that look correct?

"Jack Jackson" <jj******@cinnovations.netwrote in message
news:dg********************************@4ax.com.. .
>>When using an OleDbCommand you should not use a SqlParmeter, as that
is for SQL Server. Use OleParameter instead.

How are you stuck?

On Sun, 20 Jul 2008 12:26:41 -0600, "bill" <bi**@bottlegarden.com>
wrote:

I'm thinking something like this but I get stuck:
Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;" &
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM
Employee
WHERE FirstName = @fn", Con)

cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar, 10)).Value
=
"Joe"

"bill" <bi**@bottlegarden.comwrote in message
news:uX**************@TK2MSFTNGP04.phx.gbl.. .
Ya, I need adodb so this probably won't work with an access database
right? I've been using dataTables up until now.
>
"bill" <bi**@bottlegarden.comwrote in message
news:%2****************@TK2MSFTNGP03.phx.gbl.. .
>Can this be used with MS access by just changing the connection string
>or
>are they only SQL server specific?
>>
>"Miro" <mi**@beero.comwrote in message
>news:O5**************@TK2MSFTNGP05.phx.gbl. ..
>>It is your own variable / parameter holder ( as long as it starts
>>with
>>the @ ) symbol.
>>>
>>You can name it @bill
>>If you have multiple parameters then they all must be unique in the
>>statement.
>>>
>>example: Select * from @bla where @bill = @miro
>>>
>>therefore It would expect me to add 3 parameters via the
>>cmd.Parameters.Add
>>>
>>one for @bla, one for @bill and one for @miro
>>>
>>Miro
>>>
>>"bill" <bi**@bottlegarden.comwrote in message
>>news:us**************@TK2MSFTNGP02.phx.gbl.. .
>>>Thank you for your reply. Can you explain to me what this is since
>>>it
>>>doesn't apprear to be an assigned variable name? I haven't seen
>>>this
>>>before. "@fn"
>>>Thank you!
>>>Bill
>>>>
>>>"Miro" <mi**@beero.comwrote in message
>>>news:ei**************@TK2MSFTNGP05.phx.gbl. ..
>>>>>I beleive this is what you are looking for (did some googling)-
>>>>>
>>>>Take a look at this link:
>>>>http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>>>>>
>>>>and look at the line that says:
>>>>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>>>>10)).Value = "Joe"
>>>>>
>>>>take note of the @fn which is in the line above:
>>>>Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
>>>>WHERE FirstName = @fn", con)
>>>>>
>>>>you DO NOT want to do
>>>>>
>>>>"Select * from Employee where FirstName = " + Text1.Text
>>>>>
>>>>You might be using a Combo Box. If your combo box is generated by
>>>>you, then you are ok. But if the user generates the data within
>>>>the
>>>>combo box - then be careful....
>>>>>
>>>>because of SQL injections.
>>>>Skim this article:
>>>>http://www.sitepoint.com/article/sql...n-attacks-safe ( at
>>>>page
>>>>2 you will see the basic reason )
>>>>or by the middle of this article:
>>>>http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>>>>
>>>>basically someone can execute sql within your sql and change your
>>>>data
>>>>/ bypass your security / delete your data.
>>>>>
>>>>>
>>>>Hope this helps.
>>>>>
>>>>Miro
>>>>>
>>>>>
>>>>>
>>>>"bill" <bi**@bottlegarden.comwrote in message
>>>>news:ua**************@TK2MSFTNGP02.phx.gbl ...
>>>>>Can someone please show me an example of passing a string value
>>>>>into
>>>>>an sql statement in vb 2005? Something like this is what I'm
>>>>>after:
>>>>>Dim sqlButton1 As String = "Select * from tblAssets where
>>>>>Asset_Tag =
>>>>>Me.cboAsset.Text"
>>>>>>
>>>>>Thank you,
>>>>>>
>>>>>Bill
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
>

Jul 21 '08 #14
thank you thats a great place for me to start to learn this!
Bill
"Jack Jackson" <jj******@cinnovations.netwrote in message
news:if********************************@4ax.com...
On Sun, 20 Jul 2008 17:33:50 -0600, "bill" <bi**@bottlegarden.com>
wrote:
>>I'm not sure what this line means:
'Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

Console.WriteLine takes a format string. See String.Format for more
information. The numbers in braces are parameter numbers. In the
code above, {0} is replaced by the next parameter, reader.GetString(0)
(the value of column 0) and {1} by reader.GetString(1) (the value of
column 1).
>>So to assign say a dataview grid to this set of records is it just

Me.DataGridView1.DataSource = reader because I don't get anything back
with
that?

No. A DataReader supplies one row each time. For more information on
this see
<http://msdn.microsoft.com/en-us/library/haa3afyz(VS.71).aspx>.

The DataGridView.DataSource property takes some kind of list. You
must iterate through the DataReader and populate some kind of list. A
good one to use is BindingList(Of T), as that supplies a lot of
functionality that is useful when binding controls to a list.

However since you are just getting started with VB .NET, it might be
easier for you to create a DataSet from the DataReader using a
DataAdapter, and bind the DataGridView to the DataSet's DataTable.
Here is some information about this
<http://msdn.microsoft.com/en-us/library/bh8kx08z.aspx>

By using Google you should be able to find more examples.

Also, it is probably not necessary to specify the data type on the
Parameters.Add call. I know it is not necessary with SQL Server, but
I'm not sure about OleDB. You probably can just use:

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn", "Joe"))

>>"bill" <bi**@bottlegarden.comwrote in message
news:u9**************@TK2MSFTNGP05.phx.gbl...
>>>I think this is it:
'Dim Con = New SqlConnection("Server=(local)\SQLEXPRESS;Initial
Catalog=MyDatabase;Integrated Security=SSPI")

Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;"
&
"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
2008\IT_Assets.mdb")

'Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM Employee
WHERE
FirstName = @fn", con)

Dim Cmd As New OleDb.OleDbCommand("SELECT * from tblAssets where
asset_tag
= @fn", Con)

'cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
10)).Value
= "Joe"

Cmd.Parameters.Add(New OleDb.OleDbParameter("@fn",
OleDb.OleDbType.VarChar, 30)).Value = "Joe"

Try

Con.Open()

Dim reader As OleDb.OleDbDataReader = Cmd.ExecuteReader()

While reader.Read()

Console.WriteLine("{0} - {1}", reader.GetString(0), reader.GetString(1))

End While

reader.Close()

Finally

Con.Close()

End Try

Does that look correct?

"Jack Jackson" <jj******@cinnovations.netwrote in message
news:dg********************************@4ax.com. ..
When using an OleDbCommand you should not use a SqlParmeter, as that
is for SQL Server. Use OleParameter instead.

How are you stuck?

On Sun, 20 Jul 2008 12:26:41 -0600, "bill" <bi**@bottlegarden.com>
wrote:

>I'm thinking something like this but I get stuck:
>Dim Con = New OleDb.OleDbConnection("provider=microsoft.jet.oled b.4.0;"
>&
>"data source=c:\_Archive\Documentation - Projects\Hardware Tracking -
>2008\IT_Assets.mdb")
>
>Dim cmd As New OleDb.OleDbCommand("SELECT FirstName, LastName FROM
>Employee
>WHERE FirstName = @fn", Con)
>
>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>10)).Value
>=
>"Joe"
>
>"bill" <bi**@bottlegarden.comwrote in message
>news:uX**************@TK2MSFTNGP04.phx.gbl. ..
>Ya, I need adodb so this probably won't work with an access database
>right? I've been using dataTables up until now.
>>
>"bill" <bi**@bottlegarden.comwrote in message
>news:%2****************@TK2MSFTNGP03.phx.gbl. ..
>>Can this be used with MS access by just changing the connection
>>string
>>or
>>are they only SQL server specific?
>>>
>>"Miro" <mi**@beero.comwrote in message
>>news:O5**************@TK2MSFTNGP05.phx.gbl.. .
>>>It is your own variable / parameter holder ( as long as it starts
>>>with
>>>the @ ) symbol.
>>>>
>>>You can name it @bill
>>>If you have multiple parameters then they all must be unique in the
>>>statement.
>>>>
>>>example: Select * from @bla where @bill = @miro
>>>>
>>>therefore It would expect me to add 3 parameters via the
>>>cmd.Parameters.Add
>>>>
>>>one for @bla, one for @bill and one for @miro
>>>>
>>>Miro
>>>>
>>>"bill" <bi**@bottlegarden.comwrote in message
>>>news:us**************@TK2MSFTNGP02.phx.gbl. ..
>>>>Thank you for your reply. Can you explain to me what this is
>>>>since
>>>>it
>>>>doesn't apprear to be an assigned variable name? I haven't seen
>>>>this
>>>>before. "@fn"
>>>>Thank you!
>>>>Bill
>>>>>
>>>>"Miro" <mi**@beero.comwrote in message
>>>>news:ei**************@TK2MSFTNGP05.phx.gbl ...
>>>>>>I beleive this is what you are looking for (did some googling)-
>>>>>>
>>>>>Take a look at this link:
>>>>>http://www.java2s.com/Code/VB/Databa...SQLcommand.htm
>>>>>>
>>>>>and look at the line that says:
>>>>>cmd.Parameters.Add(New SqlParameter("@fn", SqlDbType.VarChar,
>>>>>10)).Value = "Joe"
>>>>>>
>>>>>take note of the @fn which is in the line above:
>>>>>Dim cmd As New SqlCommand("SELECT FirstName, LastName FROM
>>>>>Employee
>>>>>WHERE FirstName = @fn", con)
>>>>>>
>>>>>you DO NOT want to do
>>>>>>
>>>>>"Select * from Employee where FirstName = " + Text1.Text
>>>>>>
>>>>>You might be using a Combo Box. If your combo box is generated
>>>>>by
>>>>>you, then you are ok. But if the user generates the data within
>>>>>the
>>>>>combo box - then be careful....
>>>>>>
>>>>>because of SQL injections.
>>>>>Skim this article:
>>>>>http://www.sitepoint.com/article/sql...n-attacks-safe ( at
>>>>>page
>>>>>2 you will see the basic reason )
>>>>>or by the middle of this article:
>>>>>http://blog.colinmackay.net/archive/2007/06/24/77.aspx
>>>>>>
>>>>>basically someone can execute sql within your sql and change your
>>>>>data
>>>>>/ bypass your security / delete your data.
>>>>>>
>>>>>>
>>>>>Hope this helps.
>>>>>>
>>>>>Miro
>>>>>>
>>>>>>
>>>>>>
>>>>>"bill" <bi**@bottlegarden.comwrote in message
>>>>>news:ua**************@TK2MSFTNGP02.phx.gb l...
>>>>>>Can someone please show me an example of passing a string value
>>>>>>into
>>>>>>an sql statement in vb 2005? Something like this is what I'm
>>>>>>after:
>>>>>>Dim sqlButton1 As String = "Select * from tblAssets where
>>>>>>Asset_Tag =
>>>>>>Me.cboAsset.Text"
>>>>>>>
>>>>>>Thank you,
>>>>>>>
>>>>>>Bill
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>


Jul 21 '08 #15

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

110
by: Mr A | last post by:
Hi! I've been thinking about passing parameteras using references instead of pointers in order to emphasize that the parameter must be an object. Exemple: void func(Objec& object); //object...
2
by: Yarik | last post by:
Hello there! I am working with MS SQL Server 2000. I have a table function that takes an integer parameter and returns a table, and I can successfully use it like this (passing a literal as a...
7
by: Zlatko Matić | last post by:
Let's assume that we have a database on some SQL server (let it be MS SQL Server) and that we want to execute some parameterized query as a pass.through query. How can we pass parameters to the...
4
by: Marcelo | last post by:
Any suggestion? Thanks Marcelo
3
by: Luqman | last post by:
I have created a typed dataset and data adapter at design time in XSD File, and created a parameter. For example: Select * from customers where CustomerID=@custid Now how can I pass the...
8
by: Alec MacLean | last post by:
Hi, I'm using the DAAB Ent Lib (Jan 2006) for .NET 2.0, with VS 2005 Pro. My project is a Web app project (using the WAP add in). Background: I'm creating a survey system for our company, for...
3
by: jtrapat1 | last post by:
Im using sql server 2005 and visual studio 2005. I just want to create some reports and deploy them to the local reportserver for an intranet application by using reporting services. I'd like to...
5
by: raghutumma | last post by:
Hi, I am trying to Pass Column Name(FieldName) using Parameter in SQL Statement... But i am getting error... how can i pass Column name using parameter??? Example: in table i have...
2
by: gumby | last post by:
I would like to call this stored procedure, but I am unable to pass parameters to the @Start and @End. Is thier a way to pass parameters to a pass through query from MS Access? SELECT ...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.