Automated Insert SQL Query Parameterised?

**Barrabutus** · Jul 13th, 2011, 05:23 AM

Hi guys

I wrote this little function to allow me to pass an ArrayList of Strings and then based on the table passed to pre-build a SQLCommand like so

INSERT INTO `table` (`column`,`column`) VALUES (`value1`,`value2`);

The function for this is here:

Code:

   Public Function _SQLInsertBuilder(ByVal values As ArrayList, ByVal Table As String) As String

        Dim commandString As String
        Dim columns As ArrayList = GetTables(Table)
        commandString = "INSERT INTO `" & Table & "` ("
        For Each column As String In columns
            commandString += "`" & column & "`,"
        Next
        'Strip the last comma
        commandString = commandString.Substring(0, commandString.Count - 1)
        commandString += ") VALUES ("
        For Each value As String In values
            commandString += "`" & value & "`,"
            ' We have to parameterize the values : TODO SAFETY/SECURITY
            frmDebug.lstMessages.Items.Add("Current Value is " & value)
        Next
        'Strip the last comma
        commandString = commandString.Substring(0, commandString.Count - 1)
        commandString += ")"
        Return commandString
    End Function

Now i know that much like mysql_real_escape_string() VB.NET has a Parameter ability to make querys safer.

But what i want to know is if a query that can build itself like this is a GOOD idea or a TERRIBLE one.

If its good how could i parameterise the values during the build of the string.

Many Thanks Barra.

Thread: Automated Insert SQL Query Parameterised?

Thread Tools

Display

Threaded View

Automated Insert SQL Query Parameterised?

Posting Permissions