CommandText property

[mmarkym]

Hi,
I have a class that contains a function DataInsert that uses the command objects command text property to insert data into a sql database. In the code below the insert statement is reading the literal values. I want to insert the txtboxes instead of the literal values.

How would I do this.

Class function:
Public Function InsertData(ByVal user, ByVal pass, ByVal fname, ByVal lname) As String
Dim cn As New SqlConnection
Dim cmd As New SqlCommand
Try
cn.ConnectionString = "integrated security=true;data source='mark\netsdk';persist security info=False;initial catalog=Northwind"
cn.Open()
cmd.Connection = cn
cmd.CommandText = "Insert into Login Values ('user', 'pass', 'fname', 'lname')"
Return cmd.ExecuteNonQuery
Catch ex As Exception
MessageBox.Show(ex.Message)
Finally
cn.Close()
End Try
End Function

class Instantiation:

Private Sub btnInsert_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnInsert.Click
Dim oInsertData As New SQLInsert

oInsertData.InsertData(txtUserName.Text, txtPassword.Text, txtFname.Text, txtLname.Text)

End Sub

mark

 

[jmcilhinney]

I suggest that you read about the SqlParameter class. If you want to use variables in an SQL statement that is the proper way to do it. You could simply concatenate the variables into the string but that is hard to read, error-prone and insecure. If anyone advises you otherwise I'd suggest that they don't understand the process properly. Use a parameterised SQL statement. The help topic for the SqlParameter class will have an explanation and a code example.