Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 variable in SQL string

Author  Topic 

EricBHK
Starting Member

18 Posts
Posted - 2012-08-28 : 15:06:14
what is the proper syntax for inserting a variable (declared in VB.NET) in a SQl string ? I want to do the following :


dim TitleOld as string = "abcdefgh"

sql = "INSERT INTO LibraryChanges(column1)
VALUE ('" & TitleOld & "')"



Thanks !

sunitabeck
Master Smack Fu Yak Hacker

5155 Posts
Posted - 2012-08-28 : 15:31:00
The syntax is as shown below, BUT DON'T DO THAT WAY because it is vulnerable to SQL injection attacks.
dim TitleOld as string = "abcdefgh"
sql = "INSERT INTO LibraryChanges(column1) VALUES ('" & TitleOld & "');"
One way to prevent the injection risk would be to create a stored proc as shown below and then call that stored proc from VB.Net.
CREATE PROCEDURE dbo.InsertATitle
	@TitleOld VARCHAR(256)
AS
	INSERT INTO LibraryChanges(column1) VALUES ( @TitleOld );
GO
This stored proc is just an example and limited, for example, it will allow you to insert only one value at a time.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site