To a ha pa two three

Question

1.00/5 (4 votes)

See more:

removed from here .....................

What I have tried:

VB

Dim strSql As String = GetCaseSQL("12345")

Posted 8-Nov-16 6:48am

Member 11403304

Updated 9-Nov-16 3:36am

OriginalGriff

v3

Add a Solution

Comments

Member 11403304 9-Nov-16 8:40am

I am so lost here. So what I am trying to do before I move forward is test if my sql works.
When for example I test like this Dim strSql As String = GetCaseSQL("5678")
the results is SET @PartyID = 16482594
I would like the result to be SET @PartyID = 5678.
So the result should always be whatever is in the Dim strSql As String = GetCaseDQL("Whatever is in here should be returned as @PartyID")

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2016-11-08T08:10:00

Solution 1

Remove the first two lines:

VB.NET

"DECLARE @PartyID INT  " + vbCrLf + _
"SET @PartyID = 16482594 " + vbCrLf + _

Then add your PartyID as a parameter to the SqlCommand when you actually use it:

VB

Using con As New SqlConnection(strConnect)
    Dim myValue As Integer = 12345
	con.Open()
	Using cmd As New SqlCommand(strSQL, con)
        cmd.Parameters.AddWithValue("@PartyID", myValue)
		Using reader As SqlDataReader = cmd.ExecuteReader()
			While reader.Read()
				...
			End While
		End Using
	End Using
End Using

Don't pass the string value to your method and try to concatenate it - that way is far too dangerous: read up on SQL Injection and you'll see what I mean.

Posted 8-Nov-16 8:10am

OriginalGriff

Comments

Member 11403304 9-Nov-16 8:40am

I am so lost here. So what I am trying to do before I move forward is test if my sql works.
When for example I test like this Dim strSql As String = GetCaseSQL("5678")
the results is SET @PartyID = 16482594
I would like the result to be SET @PartyID = 5678.
So the result should always be whatever is in the Dim strSql As String = GetCaseDQL("Whatever is in here should be returned as @PartyID")

OriginalGriff 9-Nov-16 9:16am

The trouble is that the way you are trying to do this is dangerous - it involves concatenating strings, and that means that anyone who can enter the string can enter commands directly into your SQL server - and if it's a website that means from anywhere in the world - this is called SQL Injection and is totally to be avoided: google "bobby tables" and have a read.
The code I showed you shows how to do it safely - you provide a parameter which the SQL command calls @PartyID and which you set a value in a safe way, without string concatenation.