Thursday, August 02, 2012 8:57 PM
I am attached to a SQL Database from my vb.net application and Inserting some records to it from VB.NET using the code below -
Imports System.Data.SqlClient Public Class frmActivating Dim ConnectionString As String = "Data Source=data-lab;Initial Catalog=DatabaseUsers;User ID=data.lab;Password=secret@123" Dim SqlConnection As New SqlConnection(ConnectionString) Private Sub frmActivating_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load SqlConnection.Open() Dim SQLCOMMANDUPDATE As String = "Update tblActivations Set UserName = '" & frmRegister.txtName.Text & "', EmailAddress = '" & frmRegister.txtEmail.Text & "', Organization = '" & frmRegister.txtOrganization.Text & "', City = '" & frmRegister.txtCity.Text & "', State = '" & frmRegister.txtState.Text & "', RowGuid = '" & g.ToString & "', ModifiedDate = '" & TodaysDate & "', ExpiresOn = '" & ExpirationDate & "', SystemGuid = '" & lblMotherboardSerial.Text & "' WHERE ProductKey = " & txtDbKey.Text & "" Dim SqlCommandUp As New SqlCommand(SQLCOMMANDUPDATE, SqlConnection) SqlCommandUp.ExecuteNonQuery()
Now look this statement
WHERE ProductKey = " & txtDbKey.Text & ""
When I am passing the value "123456789" for txtDbkey , the records are updated successfully, but when I pass the value "abcdefghi" for txtDbKey, it is throwing an error saying that "Invalid Column" then followed by "abcdefghi"
Why is this happening, is there any implicit or explicit rule coming in action, please tell me, need your helpThanks in Advance !
Thursday, August 02, 2012 9:52 PM
Try single ticks instead of double quotes in where clause
WHERE ProductKey = '" & txtDbKey.Text & "'"
Friday, August 03, 2012 2:05 AM
Is ProdcutKey columns is INT or Varchar, if it is varchar then you need to include single quotes, try ["ProdcutKey = '" & Value & "'"]
Friday, August 03, 2012 5:25 AM
I'll suggest you to use a stored procedure for updating database.
Your sql command created dynamically is open for sql injection if you do not validate user input.
Please check the following thread http://social.msdn.microsoft.com/Forums/en-US/sqlgetstarted/thread/d6e250e3-aabd-430d-89c3-5787c13bfbd1/ for a sample SP use with parameters