Results 1 to 7 of 7

Thread: stored proc values

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Aug 2001
    Location
    Austin
    Posts
    397

    stored proc values

    what do i need to put after this: strStoredProc = "EXEC p_test_data_entry @claim1 = '" & Me.txt_claim.Text & "'"


    so i can get the values of the remaining values?


    Code:
            strStoredProc = "EXEC p_test_data_entry @claim1 = '" & Me.txt_claim.Text & "'" '@refund = '" & Me.DropDownList_refund_type.SelectedItem.Text & "' @reason = '" & Me.DropDownList_reason_overpay.SelectedItem.Text & "'"


    Code:
        Private Sub btn_save_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btn_save.Click
    
            Dim strStoredProc As String
            Dim myConnection As New SqlConnection("data source=AUS-REPORTING;initial catalog=Log;user id=user;password=password")
            Dim x As String
    
            strStoredProc = "EXEC p_test_data_entry @claim1 = '" & Me.txt_claim.Text & "'" '@refund = '" & Me.DropDownList_refund_type.SelectedItem.Text & "' @reason = '" & Me.DropDownList_reason_overpay.SelectedItem.Text & "'"
    
            Dim sqlCmd As New SqlClient.SqlCommand(strStoredProc, myConnection)
    
            'Try
            myConnection.Open()
    
            sqlCmd.ExecuteNonQuery()
    
            myConnection.Close()
            'Catch
            '    myConnection.Close()
            'End Try
    
    
    
        End Sub

  2. #2
    PowerPoster hellswraith's Avatar
    Join Date
    Jul 2002
    Location
    Washington St.
    Posts
    2,464
    I don't understand what you are asking. Post your stored procedure, and I will try to figure out what you are doing wrong.

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    Aug 2001
    Location
    Austin
    Posts
    397
    i'm not sure how to write the string to pass the values to the stored proc.

    values for @claim1,@refund,@reason



    strStoredProc = "EXEC p_test_data_entry @claim1 = '" &
    Me.txt_claim.Text & "'" '@refund = '" &
    Me.DropDownList_refund_type.SelectedItem.Text & "' @reason
    = '" & Me.DropDownList_reason_overpay.SelectedItem.Text & "'"

  4. #4
    PowerPoster hellswraith's Avatar
    Join Date
    Jul 2002
    Location
    Washington St.
    Posts
    2,464
    Private Sub btn_save_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btn_save.Click

    Dim strStoredProc As String
    Dim myConnection As New SqlConnection("data source=AUS-REPORTING;initial catalog=Log;user id=user;password=password")
    Dim x As String


    strStoredProc = "p_test_data_entry"

    Dim sqlCmd As New SqlClient.SqlCommand(strStoredProc, myConnection)
    sqlCmd.CommandType = CommandType.StoredProcedure
    sqlCmd.Parameters.Add("@claim1", Me.txt_claim.Text)
    'Repeat for each parameter.

    'Try
    myConnection.Open()

    sqlCmd.ExecuteNonQuery()

    myConnection.Close()
    'Catch
    ' myConnection.Close()
    'End Try



    End Sub

  5. #5

    Thread Starter
    Hyperactive Member
    Join Date
    Aug 2001
    Location
    Austin
    Posts
    397
    i got it


    strStoredProc = "EXEC p_test_data_entry @claim1 = '" & Me.txt_claim.Text & "', @refund = '" & Me.DropDownList_refund_type.SelectedItem.Text & "', @reason = '" & Me.DropDownList_reason_overpay.SelectedItem.Text & "'"



    hell.... thanks for help.
    Last edited by texas; Jan 21st, 2004 at 11:37 AM.

  6. #6
    PowerPoster hellswraith's Avatar
    Join Date
    Jul 2002
    Location
    Washington St.
    Posts
    2,464
    Ok, but building a string like you are doing is hard to debug and find errors, as you have noticed.

    Using the built in parameters collection of the command object will simplify development, make it easier to debug, etc. You might want to give serious thought on how you are doing it compared to the other ways.

    Also, look at the data application block from MS Just do a search for it on google to find it.

  7. #7
    Hyperactive Member
    Join Date
    Aug 2002
    Location
    Fort Collins, CO
    Posts
    366
    Ya, also might leave yourself open for a sql injection attack.
    Let's say you have a table like this:
    PHP Code:
    create table TexasTable UserName varchar(10not null 
    and a stored proc like this
    PHP Code:
    create proc TexasProc @UserName varchar 50 ) as
    -- do 
    nothing 
    Now lets say you have some code to build the sql like this:
    VB Code:
    1. sqlText = "Exec TexasProc @UserName='" & Me.txtUserName.Text & "'"
    Some bored kid, trying all weekend long, might finally try sending in the value '';Drop Table TexasTable;select '' for the Me.txtUserName.Text field. Unless you're checking the values that are being entered in those fields or are using a read only type of account, bye bye table. Try it out, I didn't believe it until I tried it out at home using basically the same code as above. Using the xxxCommand object and xxxParameters collections like hellswraith suggested protect against alot of this kind of code.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width