current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

What I want to do is to look for the text that is entered on textbox4 assigned to Valor and display if found, the below code is working but I want to use parametized queries (security reasons) and I don't know how to modify my existing code to get it done. (eg, 123-A)

I will look for "123-A" but in the current code I got an error of "invalid column A", the SQL column that I will be looking "123-A" is "ID_LALTest"

Try
            ' *--------search by Unique ID-------*
            Dim CON As New SqlConnection
            Dim DA As New SqlDataAdapter
            Dim DS As New DataSet
            Dim SQL As String
            Dim Valor As String
            Valor = TextBox4_SearchData_LALTest.Text

            CON.ConnectionString = "not displayed"
            CON.Open()

            SQL = "SELECT ID_LALTest, LALTest_SeqRef_CH, LALTest_SeqRef_Year FROM LALTest WHERE ID_LALTest=@Valor"
            DA = New SqlDataAdapter(SQL, CON)
            DA.SelectCommand.Parameters.AddWithValue("@Valor", Valor)
            DA.SelectCommand.ExecuteNonQuery()
            DA.Fill(DS, 0)


            If DS.Tables(0).Rows.Count > 0 Then
                ' *--------Found, Display Data Grid-------*
                Label2_SearchData_LALTest.Visible = False
                GridView2_SearchData_LALTest.Visible = True
                GridView3_SearchData_LALTest.Visible = True
                GridView1_SearchData_LALTest.Visible = False

            Else
                Label2_SearchData_LALTest.Text = "Record Not Found"
                Label2_SearchData_LALTest.Visible = True
                GridView2_SearchData_LALTest.Visible = False
                GridView3_SearchData_LALTest.Visible = False
                GridView1_SearchData_LALTest.Visible = False

            End If
            con.dispose()
        Catch ex As Exception
            MsgBox(Err.Description)
        End Try
share|improve this question
1  
What part of the documentation ( msdn.microsoft.com/en-us/library/bbw6zyha.aspx ) are you having trouble with? –  Andrew Morton Mar 6 '13 at 20:45
    
i just updated the code with the reference you gave me, but i received an error of "error in converting "123-A" Char to Int".. but i;m not able to detect why is trying to convert to INT? –  Eddy V Mar 6 '13 at 21:09
    
Did you use the appropriate SqlDbType for the type of the column in the database? –  Andrew Morton Mar 6 '13 at 21:12
    
SQL column is set to varchar, is not a problem with the FILL function?? –  Eddy V Mar 6 '13 at 21:29
1  
In some circumstances .AddWithValue will suffice. To be absolutely sure you are passing what you intend to pass, use .Add(New SqlParameter With {.ParameterName = "@Valor", .SqlDbType = SqlDbType.VarChar, .Size = 50, .Value = Valor}) (change the .Size to what it is in the database). –  Andrew Morton Mar 6 '13 at 21:35

1 Answer 1

up vote 0 down vote accepted

Yup, you are wide-open for sql-injection. Depending on different databases (you just have SQL, but is that SQL-Server, MySQL, an Access/SQL database, etc).

Anyhow, it's not too far off from what you have. Not specializing in VB, I'll give you some pseudo-code for it...

Change your query, and put in a "place-holder" for the "variable" you want to apply from the input... Ex:

"select (your fields) from (yourtable) where ID_LALTest = @parmValor"

Then, add the parameters to your sql command created for your data adapter... something like...

DA.SelectCommand.Parameters.Add( "@parmValor", theInputFromYourVariable );

Now, if you have multiple conditions you want to apply, just keep adding "@someParm" value and add the parameters IN THE SAME ORDER as they exist in the query... I've heard from others in the past, that just the ordinal sequence of parameters not matching the query can/does cause problems... such as data type expectations too.

share|improve this answer
    
when i use parameters.add("variable", sqldbtype) its what the visual studio is suggesting... therefore i can not use ("@Val", Valor") or maybe im just getting the solution wrong –  Eddy V Mar 6 '13 at 21:32

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.