"David" <Da***@discussions.microsoft.com> schrieb:
If I have a SQL statmenet as illistarted below what is the best way to
append parameters to the command.
Dim sql As Text.StringBuilder
sql.Append("INSERT Table ")
sql.Append("(col1, col2) ")
sql.Append("?, ?")
Sample (look for "INSERT INTO"):
..NET Framework Class Library -- 'SqlDataAdapter' Constructor ('SqlCommand')
<URL:http://msdn.microsoft.com/library/en-us/cpref/html/frlrfSystemDataSqlClientSqlDataAdapterClassctorTop ic2.asp>
The sample shows how to use a parameterized command. This approach is
recommended over building up the whole command string by hand because it
protects from SQL injection.
--
M S Herfried K. Wagner
M V P <URL:http://dotnet.mvps.org/>
V B <URL:http://classicvb.org/petition/>