[RESOLVED] [2005] Creating SQL commands

**stimbo** · Mar 20th, 2007, 12:40 PM

I'm just trying to get the hang of SQL and .NET. I was wondering can I use the field, from a textbox for example, to help create my SQL command?

This wont work so obviously there's a problem with doing it this way:

vb Code:

' Set the SELECT statement for the Command object
            cmdUserSelect.CommandText = "SELECT ShapeID, " _
                & "Shape, Colour " _
                & "FROM Features WHERE Shape = " & Me.shape.Text

Am I close or miles away?

**Kimmy4** · Mar 20th, 2007, 12:50 PM

I'm assuming shape is a textbox then?
If so then yeah you'll be able to do that but remember that any strings need to be put in single quotes.

Hope this helps

**GaryMazzone** · Mar 20th, 2007, 12:56 PM

Also if doing it this way use a Replace to replace any single qoutes with 2 single qoutes.

vb Code:

cmdUserSelect.CommandText = "SELECT ShapeID, " _
        & "Shape, Colour " _                
        & "FROM Features WHERE Shape = '" & Me.shape.Text.Replace("'","''").Trim() & "'"

**bgmacaw** · Mar 20th, 2007, 12:57 PM

If it's a string field, you need single quotes around it.

vb Code:

cmdUserSelect.CommandText = "SELECT ShapeID, " _                & "Shape, Colour " _
    & "FROM Features WHERE Shape = '" & Me.shape.Text & "'"

Also, read this MSDN article on SQL Injection to learn why you have to be very careful about appending user supplied strings into SQL statements.

**Kimmy4** · Mar 20th, 2007, 12:58 PM

You could also look into sql parameters because they get rid of having to do any of that.

**stimbo** · Mar 20th, 2007, 01:21 PM

Thanks guys. Getting there slowly but surely.

Thread: [RESOLVED] [2005] Creating SQL commands

Thread Tools

Display

[RESOLVED] [2005] Creating SQL commands

Re: [2005] Creating SQL commands

Re: [2005] Creating SQL commands

Re: [2005] Creating SQL commands

Re: [2005] Creating SQL commands

Re: [2005] Creating SQL commands

Posting Permissions