Inserting of data to sql server database

Question

lil_Is -4 Newbie Poster

15 Years Ago

Hi all,

I have a program that need to insert the data to the database. In the form, I have 5 textbox control which required the user to insert the data in the database. To create this, I am using the visual studios 2005 and sql server 2005 for the database. I have post this part of the code, it works and has been inserted to the database but the problem is some of the other forums member said that the code can be implement in a better way. Could anyone help me?
Here is the part of the code where the user need to insert the data:

Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click

        Dim connectionString As String = "Data Source=ITCU-22\SQLEXPRESS;Initial Catalog=User;Integrated Security=SSPI;"

        Dim sql As String
        Dim conn As SqlConnection
        conn = New SqlConnection(connectionString)

        sql = "Insert Into receivedData (ReceivedName,TelephoneNo,TimeStamp,ReceivedMsg)values('" & (Trim(TextBox2.Text) & "','" & Trim(TextBox4.Text) & "','" & Trim(TextBox6.Text) & "','" & Trim(TextBox3.Text)) & "')"

        conn.Open()
        Dim cmd As New SqlCommand(sql, conn)
        cmd.ExecuteNonQuery()
        MsgBox("Message has been sent to the database")
        conn.Close()

Thanks

Regards
LiL_Is

vb.net

4 Contributors
4 Replies
143 Views
2 Days Discussion Span
Latest Post 15 Years Ago Latest Post by babbu

TomW 73 Posting Whiz

15 Years Ago

Concatenating your query strings is poor coding. It is much better to use parameters. Take a look at sqlCommand.Parameters.AddWithValue. If you have any additional questions about it just let me know.

Another consideration is putting your query directly into a stored procedure in your database. Then you just have to link the command object to the stored procedure name and pass it the proper parameters.

sknake commented: parameterized sql++; +17

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

babbu -12 Posting Whiz in Training · Answer 1 · 2009-09-28T12:56:07+00:00

u can make the connection object as module level variable.
moreover u dont need to create a string and then attach it to the connection object
for eg.

dim conn as new sqlconnection("Data Source=ITCU-22\SQLEXPRESS;Initial Catalog=User;Integrated Security=SSPI;")

similarly u can change the sql command as follows

dim cmd as new sqlcommand
cmd.commandtext="Insert Into receivedData (ReceivedName,TelephoneNo,TimeStamp,ReceivedMsg)values('" & (Trim(TextBox2.Text) & "','" & Trim(TextBox4.Text) & "','" & Trim(TextBox6.Text) & "','" & Trim(TextBox3.Text)) & "')"
cmd.connection=conn

hope this helps

sknake 1,622 Senior Poster Featured Poster · Answer 2 · 2009-09-29T13:53:44+00:00

I second Tom's approach. Always use parameterized SQL! A link that may be helpful:
http://codebetter.com/blogs/david.hayden/archive/2006/01/05/136264.aspx

babbu -12 Posting Whiz in Training · Answer 3 · 2009-09-30T15:54:21+00:00

i agree with tomw.
m sorry i forgot to add the parameter part mentioned by tomw.