Results 1 to 2 of 2

Thread: Troublesome SQL insert statements

  1. #1

    Thread Starter
    Hyperactive Member cptHotkeys's Avatar
    Join Date
    Apr 2007
    Location
    New Zealand
    Posts
    294

    Troublesome SQL insert statements

    What charectors / words are not allowed in an INSERT statement (or any statement for that matter).for example.

    Code:
    strInsertStatement = "INSERT INTO tblTable values('" & string1 & "','" & string2 & "','" & string3 & "')"
    what charectors and or words must be striped from the string1,2,3 variables to ensure I do not get errors, I am having problems inserting ID3 comments into a database and quite often they contain various charectors that only a clown would type, and it even appears that sometimes the people who wrote the tags wrote them deliberatly in such way that problems would be encountered...
    Is there a way to not worry about what the strings contain, because its giving me a headache, it would be good if there was a charector for sql statements that indicates the following text in the statement is a variable to use rather than part of the instructional statement itself, I dont know of this, but it would make it good for doing things like storing querys in a database.

    I want to do as little validation as possible as the app will usually insert between 1000 and 10'000 rows, and each row has about 13 collumns, so that would leave the user with quite a wait before being able to use all of this data.

    thanks in advance

  2. #2
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    111,222

    Re: Troublesome SQL insert statements

    You are not the only one who does this so this is not directed at you specifically but I'm seriously sick of posting this: do NOT use string concatenation to build SQL statements. If you do it properly and use parameters then you don't even have to think about illegal characters because there are none:
    VB.NET Code:
    1. Dim myCommand As New SqlCommand
    2.  
    3. myCommand.CommandText = "INSERT INTO MyTable (Column1, Column2, Column3) VALUES (@Column1, @Column2, @Column3)"
    4. myCommand.Parameters.AddWithValue("@Column1", string1)
    5. myCommand.Parameters.AddWithValue("@Column2", string2)
    6. myCommand.Parameters.AddWithValue("@Column3", string3)
    There are several reasons to use parameters and this is only one of them.
    Why is my data not saved to my database? | MSDN Data Walkthroughs
    VBForums Database Development FAQ
    My CodeBank Submissions: VB | C#
    My Blog: Data Among Multiple Forms (3 parts)
    Beginner Tutorials: VB | C# | SQL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width