473,500 Members | 1,898 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Trying to insert textboxdata into database

PGM

Private Sub Button1_Click_1(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

Dim Projname, ProjSpon As String

Dim AppName, AppType, AppSupp, AppDesc As String

Dim VendName, VendPhone As String

Dim ReqName, ReqPurp As String

Dim BudgItem, BudgNum As String

Dim BudgOnly As Integer

If chkBudg.Checked = True Then BudgOnly = 1 Else BudgOnly = 0

Projname = Convert.ToString(txtProjName.Text)

ProjSpon = Convert.ToString(txtProjSpon.Text)

AppNAme = Convert.ToString(txtAppName.Text)

VendName = Convert.ToString(txtVendName.Text)

VendPhone = Convert.ToString(txtVendPhone.Text)

AppType = Convert.ToString(cmbAppType.SelectedItem)

AppSupp = Convert.ToString(cmbAppSupp.SelectedItem)

AppDesc = Convert.ToString(txtAppDes.Text)

ReqName = Convert.ToString(txtReqName.Text)

ReqPurp = Convert.ToString(cmbReqPurp.SelectedItem)

BudgItem = Convert.ToString(cmbBudgetItem.SelectedItem)

BudgNum = Convert.ToString(txtbudgetNum.Text)

Dim strSQL As String

Dim strConn As String

strSQL = "Insert Into system.ServerRequest Values('" & BudgOnly & "','" &
Projname & "','" & ProjSpon & "','" & AppName & "','" & VendName & "','" &
VendPhone & "','" & AppType & "','" & AppSupp & "','" & AppDesc & "','" &
ReqName & "','" & ReqPurp & "','" & BudgItem & "','" & BudgNum & "')"

MsgBox("SQL:" & strSQL)

strConn = "Provider=SQLOLEDB.1;Password=vbuser;Persist Security
Info=True;User ID=VBuser;Initial Catalog=Masterserver;Data
Source=patmtest\sqlexpress"

MyConnObj = New ADODB.Connection

MyConnObj.Open(strConn)

SQLcmd = New ADODB.Command

SQLcmd.ActiveConnection = MyConnObj

SQLcmd.CommandText = strSQL

SQLcmd.Execute()

MyConnObj.Close()

MyConnObj = Nothing

Jun 27 '08 #1
3 1014
PGM wrote:
Private Sub Button1_Click_1(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

Dim Projname, ProjSpon As String
There's your first problem: consider what happens if there's an apostrophe
in one of the names: it will break your SQL string. Or worse, your database
could be the victim of an SQL injection attack.

You will need to use a parameterized query. I can't find a basic explanation
quickly, google has the answer somewhere.

And if you're using SQL Server, you might as well go through
System.Data.SqlClient rather than OleDb.

HTH

Andrew
Jun 27 '08 #2
PGM
Thank you a ton,
I am a newbie to this .Net stuff, as if you couldn't tell. You pointed
me in the right direction and now I have it working. Thank You!! Changed
Code:

Dim Projname, ProjSpon As String

Dim AppName, AppType, AppSup, AppDesc As String

Dim VendName, VendPhone As String

Dim ReqName, ReqPurp As String

Dim BudgItem, BudgNum As String

Dim BudgetOnly As Integer

If chkBudg.Checked = True Then BudgetOnly = 1 Else BudgetOnly = 0

Projname = Convert.ToString(txtProjName.Text)

ProjSpon = Convert.ToString(txtProjSpon.Text)

AppName = Convert.ToString(txtAppName.Text)

VendName = Convert.ToString(txtVendName.Text)

VendPhone = Convert.ToString(txtVendPhone.Text)

AppType = Convert.ToString(cmbAppType.SelectedItem)

AppSup = Convert.ToString(cmbAppSupp.SelectedItem)

AppDesc = Convert.ToString(txtAppDes.Text)

ReqName = Convert.ToString(txtReqName.Text)

ReqPurp = Convert.ToString(cmbReqPurp.SelectedItem)

BudgItem = Convert.ToString(cmbBudgetItem.SelectedItem)

BudgNum = Convert.ToString(txtbudgetNum.Text)

'Create the Database Connection String

Dim MserverConnection As New SqlConnection("Data
Source=patmtest\sqlexpress;Integrated Security=sspi;Initial
Catalog=MasterServer;User ID=Vbuser;Password=Vbuser")

'Create SQL Select query command

Dim SQLcmd As SqlCommand = New SqlCommand("dbo.InsertNewServerRequest",
MserverConnection)

SQLcmd.CommandType = CommandType.StoredProcedure

SQLcmd.Parameters.Add(New SqlParameter("@BudgetOnly", BudgetOnly))

SQLcmd.Parameters.Add(New SqlParameter("@ProjName", Projname))

SQLcmd.Parameters.Add(New SqlParameter("@ProjSpon", ProjSpon))

SQLcmd.Parameters.Add(New SqlParameter("@AppName", AppName))

SQLcmd.Parameters.Add(New SqlParameter("@VendName", VendName))

SQLcmd.Parameters.Add(New SqlParameter("@VendPhone", VendPhone))

SQLcmd.Parameters.Add(New SqlParameter("@AppType", AppType))

SQLcmd.Parameters.Add(New SqlParameter("@AppSup", AppSup))

SQLcmd.Parameters.Add(New SqlParameter("@AppDesc", AppDesc))

SQLcmd.Parameters.Add(New SqlParameter("@ReqName", ReqName))

SQLcmd.Parameters.Add(New SqlParameter("@ReqPurp", ReqPurp))

SQLcmd.Parameters.Add(New SqlParameter("@BudgItem", BudgItem))

SQLcmd.Parameters.Add(New SqlParameter("@BudgNum", BudgNum))

MsgBox("The Command: " & SQLcmd.Parameters.Count)

'Set a Command Timeout Value

SQLcmd.CommandTimeout = 30

'Create SQLdataAdapter

Dim ServerInfoDA As SqlDataAdapter = New SqlDataAdapter(SQLcmd.CommandText,
MserverConnection)

MsgBox("Created Dataadapter")

'Open Database Connection

SQLcmd.Connection.Open()

MsgBox("SQL Connection established")

'Execute the SQL Stored Procedure with Parameters

SQLcmd.ExecuteReader()

MsgBox("SQL Command Executed")

'Close the connection to the database

SQLcmd.Connection.Close()

MsgBox("Connection Closed")

End Sub

"Andrew Morton" <ak*@in-press.co.uk.invalidwrote in message
news:68*************@mid.individual.net...
PGM wrote:
>Private Sub Button1_Click_1(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

Dim Projname, ProjSpon As String

There's your first problem: consider what happens if there's an apostrophe
in one of the names: it will break your SQL string. Or worse, your
database could be the victim of an SQL injection attack.

You will need to use a parameterized query. I can't find a basic
explanation quickly, google has the answer somewhere.

And if you're using SQL Server, you might as well go through
System.Data.SqlClient rather than OleDb.

HTH

Andrew

Jun 27 '08 #3
PGM

You did not needed to use a SP , you could have done it with a
parameterized SQL command ( although a SP is fine )

But if you were really smart , you would have used the datadapter from a
dataset as you then get the benefit of strong typing in your code
add a new dataset to your project , go to design view , add a new datadapter
and use the wizzard , select your base Table or View
now you can extend the table adapter with anny query you like parameters are
typed with a @ prefix in SQL server in Access ?

also another remark a textbox is returning a string so why convert a string
to a string ?

HTH

Michel


"PGM" <pm*******@chw.orgschreef in bericht
news:%2******************@TK2MSFTNGP06.phx.gbl...
Thank you a ton,
I am a newbie to this .Net stuff, as if you couldn't tell. You pointed
me in the right direction and now I have it working. Thank You!! Changed
Code:

Dim Projname, ProjSpon As String

Dim AppName, AppType, AppSup, AppDesc As String

Dim VendName, VendPhone As String

Dim ReqName, ReqPurp As String

Dim BudgItem, BudgNum As String

Dim BudgetOnly As Integer

If chkBudg.Checked = True Then BudgetOnly = 1 Else BudgetOnly = 0

Projname = Convert.ToString(txtProjName.Text)

ProjSpon = Convert.ToString(txtProjSpon.Text)

AppName = Convert.ToString(txtAppName.Text)

VendName = Convert.ToString(txtVendName.Text)

VendPhone = Convert.ToString(txtVendPhone.Text)

AppType = Convert.ToString(cmbAppType.SelectedItem)

AppSup = Convert.ToString(cmbAppSupp.SelectedItem)

AppDesc = Convert.ToString(txtAppDes.Text)

ReqName = Convert.ToString(txtReqName.Text)

ReqPurp = Convert.ToString(cmbReqPurp.SelectedItem)

BudgItem = Convert.ToString(cmbBudgetItem.SelectedItem)

BudgNum = Convert.ToString(txtbudgetNum.Text)

'Create the Database Connection String

Dim MserverConnection As New SqlConnection("Data
Source=patmtest\sqlexpress;Integrated Security=sspi;Initial
Catalog=MasterServer;User ID=Vbuser;Password=Vbuser")

'Create SQL Select query command

Dim SQLcmd As SqlCommand = New SqlCommand("dbo.InsertNewServerRequest",
MserverConnection)

SQLcmd.CommandType = CommandType.StoredProcedure

SQLcmd.Parameters.Add(New SqlParameter("@BudgetOnly", BudgetOnly))

SQLcmd.Parameters.Add(New SqlParameter("@ProjName", Projname))

SQLcmd.Parameters.Add(New SqlParameter("@ProjSpon", ProjSpon))

SQLcmd.Parameters.Add(New SqlParameter("@AppName", AppName))

SQLcmd.Parameters.Add(New SqlParameter("@VendName", VendName))

SQLcmd.Parameters.Add(New SqlParameter("@VendPhone", VendPhone))

SQLcmd.Parameters.Add(New SqlParameter("@AppType", AppType))

SQLcmd.Parameters.Add(New SqlParameter("@AppSup", AppSup))

SQLcmd.Parameters.Add(New SqlParameter("@AppDesc", AppDesc))

SQLcmd.Parameters.Add(New SqlParameter("@ReqName", ReqName))

SQLcmd.Parameters.Add(New SqlParameter("@ReqPurp", ReqPurp))

SQLcmd.Parameters.Add(New SqlParameter("@BudgItem", BudgItem))

SQLcmd.Parameters.Add(New SqlParameter("@BudgNum", BudgNum))

MsgBox("The Command: " & SQLcmd.Parameters.Count)

'Set a Command Timeout Value

SQLcmd.CommandTimeout = 30

'Create SQLdataAdapter

Dim ServerInfoDA As SqlDataAdapter = New
SqlDataAdapter(SQLcmd.CommandText, MserverConnection)

MsgBox("Created Dataadapter")

'Open Database Connection

SQLcmd.Connection.Open()

MsgBox("SQL Connection established")

'Execute the SQL Stored Procedure with Parameters

SQLcmd.ExecuteReader()

MsgBox("SQL Command Executed")

'Close the connection to the database

SQLcmd.Connection.Close()

MsgBox("Connection Closed")

End Sub

"Andrew Morton" <ak*@in-press.co.uk.invalidwrote in message
news:68*************@mid.individual.net...
>PGM wrote:
>>Private Sub Button1_Click_1(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

Dim Projname, ProjSpon As String

There's your first problem: consider what happens if there's an
apostrophe in one of the names: it will break your SQL string. Or worse,
your database could be the victim of an SQL injection attack.

You will need to use a parameterized query. I can't find a basic
explanation quickly, google has the answer somewhere.

And if you're using SQL Server, you might as well go through
System.Data.SqlClient rather than OleDb.

HTH

Andrew


Jun 27 '08 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
10
1426
trying to copy the autonumber from one table to the next
by: sparks | last post by:
So far I have tried the microsoft version of this, and lost the table LOl so I tried this way to write to two tables carrying over the autoid but so far I can not get the autonumber and put it in...
C# / C Sharp
25
4026
Trying to find ClientID of web form - Update
by: Neo Geshel | last post by:
This works: <form> <asp:TextBox id="name" /> <%= name.ClientID %> </form> But this DOES NOT work: <form>
ASP.NET
10
8195
Weird errors when trying to insert with IDENTITY_INSERT on!
by: teddysnips | last post by:
SQL Server 2000 (DDL below) If I try to run this code in QA: SET IDENTITY_INSERT tblAdminUsers ON INSERT INTO tblAdminUsers (fldUserID, fldUsername, fldPassword, fldFullname,
Microsoft SQL Server
5
1459
just trying to do simple site but no php hates me :(
by: kkddrpg | last post by:
the database looks like this the database is called username_tpp (not really just using username as a sub) the table is called home it has field 1 : varchar(50) | latin1_swedish_ci | no...
PHP
0
7136
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7018
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7182
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7232
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
6906
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7397
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
4611
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3106
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
672
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us