Private Sub BtnSave_Click(sender As Object, e As EventArgs) Handles BtnSave.Click
cn.Open()
cmd = New SqlCommand("insert into CandTable(Passport_No,Name,Father
Name,Mother Name,Date_of_Birth) values('" & Candi.TxtPass.Text & "','" &
Candi.TxtName.Text & "', '" & Candi.TxtFather.Text & "', '" &
Candi.TxtMother.Text & "','" & Candi.TxtDob.Text & "')", cn)
cmd.ExecuteNonQuery()
cn.Close()
MsgBox("Data Saved Successfully")
End Sub
Asked
Active
Viewed 55 times
-1
Stephen Jennings
- 12,494
- 5
- 47
- 66
varin
- 7
- 2
-
I also recommend you look into parameterizing your SQL query. [Here is an example of doing it in VB](https://stackoverflow.com/a/542542/19818). Parameterization protects you against quotation marks in strings and other dangerous input, which could give an attacker access to your database. – Stephen Jennings Dec 12 '18 at 05:20
-
I can imagine that this will work: take a quotation mark for the field names containing a whitespace: ChrW(96). Try this: \`Father Name\`,\`Mother Name\` – muffi Dec 12 '18 at 05:35
1 Answers
1
Try this......
Using sqlcon As New SqlConnection(strCaseConnString)
sbSql.Append("insert into CandTable(Passport_No,Name,[Father Name],[Mother Name],Date_of_Birth) values(@Passport_No,@Name,@FatherName,@MotherName,@Date_of_Birth")
Using sqlCmd As New SqlCommand(sbSql.ToString(), sqlcon)
sqlCmd.Parameters.Add("@Passport_No", SqlDbType.NVarChar).Value = Candi.TxtPass.Text
sqlCmd.Parameters.Add("@Name", SqlDbType.NVarChar).Value = Candi.TxtName.Text
sqlCmd.Parameters.Add("@FatherName", SqlDbType.NVarChar).Value = Candi.TxtFather.Text
sqlCmd.Parameters.Add("@MotherName", SqlDbType.NVarChar).Value = Candi.TxtMother.Text
sqlCmd.Parameters.Add("@Date_of_Birth", SqlDbType.NVarChar).Value = Candi.TxtDob.Text
sqlcon.Open()
sqlCmd.ExecuteNonQuery()
sqlcon.Close()
End Using
End Using
Chetan Sanghani
- 2,058
- 2
- 21
- 36