I read through http://www.vbdotnetforums.com/database-general-discussion/18562-ins-outs-parameterized-queries.html and http://www.vbdotnetforums.com/datab...scussions-about-parameterized-queries-pq.html already and maybe I'm dense but I can't figure it out. When it first started out (many years ago when I was just learning VB) I wrote a "DataAccess.vb" module with something like this (this is a subset but gets the point across):
Then when I want to update data anywhere else in my application I do something like this:
As you can see it's pretty hard to keep track of especially when I have updates to 30+ fields. Not only that when a user enters a single or double quot it throws a SQL error or as mentioned it could also be worse if the users had a idea on how to break a database. I actually wrote a sub that strips out the offending characters just in case and although it works it's not a good workaround.
Now I want to upgrade the program to parameters but I don't understand how. I guess I'm looking for something like what I have, a sub in a module for getting data and one for updating data and then a way to call them. Is there a easy way to do this or a example somewhere? Once I can get the example above done I'm sure I could replicate it across the other 80 - 100 queries I have. I have used a single parameterize query to add a file into SQL but it was off a example and I don't understand really how it does it, just that it works. In that example in the update function I have to declare the parameter with a myCommand.Parameter.Add(theParameter) and I guess I'm worried about having to repeat this code over and over while with the example above I wrote the update code once and can easily reuse it.
Hopefully this makes sense.
-Allan
VB.NET:
Friend Function UpdateData(ByVal strSQL As String, Optional ByVal DocumentsDatabase As Boolean = False) As Integer
' Create our connection string
Dim myConnString As SqlConnection
If DocumentsDatabase = True Then
myConnString = SQLDocumentsConnectionString()
Else
myConnString = SQLConnectionString()
End If
' Create our command
Dim myCommand As SqlCommand = New SqlCommand(strSQL, myConnString)
Try
' Open the connection
myCommand.Connection.Open()
' execute the SQL and return the result
Return myCommand.ExecuteNonQuery()
Catch ex As SqlException
My.Application.Log.WriteEntry("An error was thrown by the UpdateData function. Error Details:" & vbCrLf & ex.Message & vbCrLf & vbCrLf & "SQL Statement: " & strSQL)
Debug.WriteLine("An error was thrown by the UpdateData function. Error Details: " & vbCrLf & ex.Message & vbCrLf & vbCrLf & "SQL Statement: " & strSQL)
Finally
' Close the connection
myCommand.Connection.Close()
myConnString = Nothing
myCommand = Nothing
End Try
End Function
Then when I want to update data anywhere else in my application I do something like this:
VB.NET:
If UpdateData("INSERT INTO tCompanyNotes ([CompanyID], [NoteTitle], [NoteDetails],[DateAdded],[AddedBy]) VALUES (" & mCompanyId & ",'" _
& StripSpacesAndQuotes(TitleTextBox.Text) & "','" & StripSpacesAndQuotes(DetailsTextBox.Text) & "','" & Date.Now.ToShortDateString & "','" & CurrentUserFullName & "')") > 0
' Stuff if successful else stuff for not sucessful
As you can see it's pretty hard to keep track of especially when I have updates to 30+ fields. Not only that when a user enters a single or double quot it throws a SQL error or as mentioned it could also be worse if the users had a idea on how to break a database. I actually wrote a sub that strips out the offending characters just in case and although it works it's not a good workaround.
Now I want to upgrade the program to parameters but I don't understand how. I guess I'm looking for something like what I have, a sub in a module for getting data and one for updating data and then a way to call them. Is there a easy way to do this or a example somewhere? Once I can get the example above done I'm sure I could replicate it across the other 80 - 100 queries I have. I have used a single parameterize query to add a file into SQL but it was off a example and I don't understand really how it does it, just that it works. In that example in the update function I have to declare the parameter with a myCommand.Parameter.Add(theParameter) and I guess I'm worried about having to repeat this code over and over while with the example above I wrote the update code once and can easily reuse it.
Hopefully this makes sense.
-Allan