-2

am new to vb.net i have a project vb.net connect to access 2003 database and i want to insert data through vb.net to access data base am using Sql commands here is the code bt it's not working for me

cmd.CommandText = "INSERT INTO info(nam, employed, ple, mertebe, navonishan, sermoche, moche, dxindin, dbemoche, brwaname)" + " VALUES (" & Me.NamTextBox.Text & ",'" & CDate(Me.EmployedDateTimePicker.Text) & "','" & CInt(Me.PleTextBox.Text) & "','" & CInt(Me.MertebeTextBox.Text) & "','" & Me.NavonishanTextBox.Text & "','" & CDate(Me.SermocheDateTimePicker.Text) & "','" & CInt(Me.MocheTextBox.Text) & "','" & CByte(Me.DxindinCheckBox.Checked) & "','" & CByte(Me.DbemocheCheckBox.Checked) & "','" & Me.BrwanameTextBox.Text & "' );"
Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Arman Amedi
  • 1
  • 1

1 Answers1

0

Use parametrized query.

cmd.CommandText = "INSERT INTO info(nam, employed, ple, mertebe, navonishan, " & _
                  "sermoche, moche, dxindin, dbemoche, brwaname) VALUES (" & _
                  "?,?,?,?,?,?,?,?,?,?)"
cmd.Parameters.AddWithValue("@p1", Me.NamTextBox.Text)
cmd.Parameters.AddWithValue("@p2", Convert.ToDateTime(Me.EmployedDateTimePicker.Text))
cmd.Parameters.AddWithValue("@p3", Convert.ToInt32(Me.PleTextBox.Text))
cmd.Parameters.AddWithValue("@p4", Convert.ToInt32(Me.MertebeTextBox.Text))
cmd.Parameters.AddWithValue("@p5", Me.NavonishanTextBox.Text)
cmd.Parameters.AddWithValue("@p6", Convert.ToDateTime(Me.SermocheDateTimePicker.Text))
cmd.Parameters.AddWithValue("@p7", Convert.ToInt32(Me.MocheTextBox.Text))
cmd.Parameters.AddWithValue("@p8", Me.DxindinCheckBox.Checked)
cmd.Parameters.AddWithValue("@p9", DbemocheCheckBox.Checked)
cmd.Parameters.AddWithValue("@p10", Me.BrwanameTextBox.Text)

A part from the string concatenation, in this way you don't risk to pass a value intended to be a number or a date with the wrong formatting rules (your numeric or date values should not be enclosed in single quotes).

Of course this avoid also the Sql Injection problems stated by other (Cody Gray) in comment

Steve
  • 213,761
  • 22
  • 232
  • 286