McGrath Electronics, Inc. Provides Network Support in Phoenix, AZ

Using a Parameterized Query to Fix SQL Syntax Errors

☰

Using a parameterized query to update or insert records into a database is the best method for dealing with apostrophes (single quotes) in the data. It has the added benefit of reducing your database to SQL injection attacks because all of the text in a parameter is treated only as data. Below is a very basic example of how to use command parameters. The example is shown with SQL but it can also be used with OLEDB. Please note: if you use parameters with OLEDB connections they must be placed in the same order they appear in the table.

Using myConn As SQLConnection = New SqlConnection(Your Connection String)
 Using myCmd As New SQLCommand()
  myCmd.Connection = myConn
  myCmd.CommandText = "INSERT INTO yourtable " _
     & "([Name], [Telephone]) " _
     & "VALUES (@Name , @Telephone)"
  with myCmd.Parameters
   .Add(New SqlParameter("@Name", TextBoxName.Text))
   .Add(New SqlParameter("@Telephone", TextBoxPhone.Text))
  end with
  myConn.Open()
  MyCmd.ExecuteNonQuery
  myConn.Close()
 End Using
End Using

More details about SqlCommand.Parameters can be found on the MSDN website.

If you have any comments, questions, or suggestions please fell free to contact us.

Sitemap | Privacy Statement