[RESOLVED] [2005] Creating SQL commands
I'm just trying to get the hang of SQL and .NET. I was wondering can I use the field, from a textbox for example, to help create my SQL command?
This wont work so obviously there's a problem with doing it this way:
vb Code:
' Set the SELECT statement for the Command object
cmdUserSelect.CommandText = "SELECT ShapeID, " _
& "Shape, Colour " _
& "FROM Features WHERE Shape = " & Me.shape.Text
Am I close or miles away?
Re: [2005] Creating SQL commands
I'm assuming shape is a textbox then?
If so then yeah you'll be able to do that but remember that any strings need to be put in single quotes.
Hope this helps :thumb:
Re: [2005] Creating SQL commands
Also if doing it this way use a Replace to replace any single qoutes with 2 single qoutes.
vb Code:
cmdUserSelect.CommandText = "SELECT ShapeID, " _
& "Shape, Colour " _
& "FROM Features WHERE Shape = '" & Me.shape.Text.Replace("'","''").Trim() & "'"
Re: [2005] Creating SQL commands
If it's a string field, you need single quotes around it.
vb Code:
cmdUserSelect.CommandText = "SELECT ShapeID, " _ & "Shape, Colour " _
& "FROM Features WHERE Shape = '" & Me.shape.Text & "'"
Also, read this MSDN article on SQL Injection to learn why you have to be very careful about appending user supplied strings into SQL statements. :eek:
Re: [2005] Creating SQL commands
You could also look into sql parameters because they get rid of having to do any of that.
:thumb:
Re: [2005] Creating SQL commands
Thanks guys. Getting there slowly but surely. :thumb: