SQL parameterized? I'm lost

Question

I have no idea how to use parameterized and would like someone to point me into the right direction.

Here's what I'm currently using.

Public Class main
Dim dbCon As New MySqlConnection("Server=localhost;Database=payid;Uid=root")
Dim strQuery As String = ""
Dim SQLCmd As MySqlCommand
Dim DR As MySqlDataReader
Private Sub Use()
    Try
        strQuery = "UPDATE payid " & _
            "SET used='" & amen.Text & "' " & _
             "WHERE payid='" & TextBox1.Text & "'"

        SQLCmd = New MySqlCommand(strQuery, dbCon)
        dbCon.Open()
        SQLCmd.ExecuteNonQuery()
        dbCon.Close()

    Catch ex As Exception
        MsgBox(ex.Message)
    End Try
End Sub

If someone could change that for me I'd be able to do the rest of my code.

http://stackoverflow.com/q/542510/1070452 – Ňɏssa Pøngjǣrdenlarp Sep 28 '14 at 01:05 — Ňɏssa Pøngjǣrdenlarp, Sep 28 '14 at 01:05

score 0 · Accepted Answer · answered Sep 28 '14 at 01:09

0

strQuery = "UPDATE payid SET used=@used WHERE payid=@payid "
SQLCmd = New MySqlCommand(strQuery, dbCon)
SQLCmd.Parameters.AddWithValue("@used", amen.Text)
SQLCmd.Parameters.AddWithValue("@payid", TextBox1.Text )

answered Sep 28 '14 at 01:09

apomene

14,282
9
46
72

Just a notice. Do you use the same name for all Database, table and field?? (payid) – apomene Sep 28 '14 at 01:13
Yeah, should it be changed? Also, im getting: Error'Parameters' is not a member of 'String' – Oh Hayoung Sep 28 '14 at 01:15

SQL parameterized? I'm lost

1 Answers1