I have the following code which adds a record to the DB. The code executes fine, however when I look in the DB, there is no data added! Any help greatly appreciated:
Dim Con As SqlConnection
Dim cmd As New SqlCommand
Dim connstring As String
connstring = "Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\Assignment.mdf;Integrated Security=True;Connect Timeout=30"
Con = New SqlConnection(connstring)
Con.Open()
cmd = New SqlCommand("Insert into Rota ([Id],[Monday],[Tuesday],[Wednesday],[Thursday],[Friday],[Saturday],[Sunday],[UserID]) Values('" & chosen & "','" & mon & "','" & tues & "','" & wed & "','" & thur & "','" & fri & "','" & sat & "','" & sun & "','" & user & "')", Con)
cmd.ExecuteNonQuery()
MsgBox("done")
Con.Close()
Related
I have tried this code but the date format keeps staying the same when the record is entered
mysqlconn = New MySqlConnection
mysqlconn.ConnectionString =
Dim reader As MySqlDataReader
Try
mysqlconn.Open()
Dim query As String
query = "insert into jadco_test.adrv (id,type_adrv,date_discov,date_notif,pssd,psed,comment,hearing_date,sanction`enter code here`_sd,sanction_ed) values('" & Tbox_ID.Text & "','" & ComboBox_adrv.SelectedItem & "', '" & DateTimePicker_DD = DateTime.Now.ToString("yyyy-MM-dd") & "','" & DateTimePicker_DN.CustomFormat & "','" & DateTimePicker_pssd.CustomFormat & "','" & DateTimePicker_psed.CustomFormat & "', '" & TextBox_comment.Text & "','" & DateTimePicker_HD.CustomFormat & "','" & DateTimePicker_SSD.CustomFormat & "','" & DateTimePicker_SED.CustomFormat & "' )"
command = New MySqlCommand(query, mysqlconn)
reader = command.ExecuteReader
MessageBox.Show("record saved")
mysqlconn.Close()
Catch ex As MySqlException
MessageBox.Show(ex.Message)
Finally
mysqlconn.Dispose()
End Try
My problem here is every time i want to save into the database, only two row in the datagridview can be save. why is that ? is it because of the two command of inserting ?
Here is my code:
Try
For Each column As DataGridViewRow In dtorder.Rows
Dim sqlconn As New OleDb.OleDbConnection
Dim sqlquery As String
Dim sqlquery1 As String
Dim cmd As New OleDb.OleDbCommand
Dim cmd1 As New OleDb.OleDbCommand
Dim connString As String
connString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Bloodyjenk\Documents\POS system.accdb"
sqlconn.ConnectionString = connString
sqlconn.Open()
sqlquery = "INSERT INTO OrderedInfoName VALUES ('" & txtOrderNo.Text & "','" & column.Cells(0).Value & "','" & column.Cells(1).Value & "','" & column.Cells(2).Value & "','" & column.Cells(3).Value & "')"
sqlquery1 = "INSERT INTO Ordered VALUES ('" & txtOrderNo.Text & "','" & cmbTable.Text & "','" & cmbOrdertype.Text & "','" & lblDate.Text & "','" & lblStatus.Text & "','" & lblPrice.Text & "','" & lblDiscount.Text & "','" & lblSub.Text & "', 0, 0)"
cmd = New OleDb.OleDbCommand(sqlquery, sqlconn)
cmd1 = New OleDb.OleDbCommand(sqlquery1, sqlconn)
cmd.ExecuteNonQuery()
cmd1.ExecuteNonQuery()
sqlconn.Close()
Next
Catch ex As Exception
MsgBox("DONE")
OrderList.Show()
Me.Close()
End Try
I am doing a project in vb.net and I've made a table with listview now the problem is that I am not be able to get a specific column item and only be able to get the item of first column (listview.selecteditems(0).text) and i.e. 0(zero)... ListView1.SelectedItems(1/2/3/so on).Text is not working.
My code is:
s = one_way.ListView1.SelectedItems(4).Text
cmd1 = New OleDbCommand("Select reference_no from Booking_Details", cn)
cmd1 = New OleDbCommand("insert into Booking_Details values(" & i & ",'" & one_way.ListView1.SelectedItems(0).Text & "','" & main.ComboBox1.Text & "','" & main.ComboBox9.Text & "','" & main.RadioButton2.Text & "','" & main.ComboBox2.Text & "','" & main.ComboBox4.Text & "','" & main.DateTimePicker2.Text & "','" & s & "',' ',' ','" & main.ComboBox5.Text & "','" & main.ComboBox6.Text & "','" & main.ComboBox7.Text & "')", cn)
cmd1.ExecuteNonQuery()
s = one_way.ListView1.SelectedItems(4).Text
cmd1 = New OleDbCommand("Select reference_no from Booking_Details", cn)
cmd1 = New OleDbCommand("insert into Booking_Details values('" & s & "')", cn)
cmd1.ExecuteNonQuery()
Someone please help.
In a listview, selecteditem(s) refers to the row. In order to add columns to it, you had to create and assign subitems and that is how you need to get the info back:
someInfo = listview.SelectedItems(X).SubItems(Z).Text
'SelectedItems(N).Text' is just returning the column 0 or item text.
your code is also ripe for a sql injection attack - you should use parameters: https://stackoverflow.com/a/16760887/1070452
I'm trying to insert record in multiple table at a time using sqldataadapter and sqltransaction. i use the following code. but it is not working. help me plz....... tell me the problem in this code
Dim cn As New SqlConnection("Data Source=.\SQLEXPRESS;Initial Catalog=AMHSDB;Integrated Security=True")
Dim da As New SqlDataAdapter
Dim ds As New DataSet
Dim trans As SqlTransaction
Dim tot As Integer
Public Sub RecordSave()
tot = CInt(TB3.Text.Trim) + CInt(TB4.Text.Trim) + CInt(TB5.Text.Trim) + CInt(TB6.Text.Trim)
Dim yr As String
yr = Now.Year()
Try
cn.Open()
trans = cn.BeginTransaction()
da.InsertCommand.Transaction = trans
da.InsertCommand = New SqlCommand("INSERT INTO[FTUT_tbl] (roll_no,s_name,class,session,eng_i,ben,math,stu_wor,gra_tot) VALUES ('" & TB1.Text.Trim & "','" & TB2.Text.Trim & "','Nursery','" & yr & "','" & TB3.Text.Trim & "','" & TB4.Text.Trim & "','" & TB5.Text.Trim & "','" & TB6.Text.Trim & "','" & tot & "')", cn)
da.InsertCommand.ExecuteNonQuery()
da.Dispose()
da.InsertCommand = New SqlCommand("INSERT INTO[FTE_tbl] (roll_no,s_name,class,session) VALUES ('" & TB1.Text.Trim & "','" & TB2.Text.Trim & "','Nursery','" & yr & "')", cn)
da.InsertCommand.ExecuteNonQuery()
da.Dispose()
trans.Commit()
MsgBox("Rocord Successfully Inserted!")
Catch ex As Exception
trans.Rollback()
MsgBox(ex.Message)
Finally
cn.Close()
End Try
End Sub
Create the InsertCommand first, and then assign the transaction:
da.InsertCommand = New SqlCommand("...")
da.InsertCommand.Transaction = trans
And you need to commit your transactions:
da.InsertCommand.Transaction.Commit()
try this, may be it will help for you
Dim dsBillMst As DataTable
Dim TrDtsSvr As SqlTransaction
Dim cmdReadLocal As New SqlCommand
Dim ConSvr As New SqlConnection(gblstrDBConnectionStr)
ConSvr.Open()
TrDtsSvr = ConSvr.BeginTransaction()
cmdReadLocal.Transaction = TrDtsSvr
cmdReadLocal.commandtext="//your insert statement"
cmdReadLocal.executenonquery()
adapter = New SqlDataAdapter(cmdReadLocal)
dsBillMst = New DataTable
adapter.Fill(dsBillMst)
your problem is you disposed the sql command in the first insert, but then you didnt open it again in another insert.
try this one.....
cn.Open()
trans = cn.BeginTransaction()
da.InsertCommand.Transaction = trans
da.InsertCommand = New SqlCommand("INSERT INTO[FTUT_tbl] (roll_no,s_name,class,session,eng_i,ben,math,stu_wor,gra_tot) VALUES ('" & TB1.Text.Trim & "','" & TB2.Text.Trim & "','Nursery','" & yr & "','" & TB3.Text.Trim & "','" & TB4.Text.Trim & "','" & TB5.Text.Trim & "','" & TB6.Text.Trim & "','" & tot & "')", cn)
da.InsertCommand.ExecuteNonQuery()
da.Dispose()
cn.Open()
da.InsertCommand = New SqlCommand("INSERT INTO[FTE_tbl] (roll_no,s_name,class,session) VALUES ('" & TB1.Text.Trim & "','" & TB2.Text.Trim & "','Nursery','" & yr & "')", cn)
da.InsertCommand.ExecuteNonQuery()
da.Dispose()
I don't know how to avoid SQL injection, could someone help me with my problem?
Here is my current code:
Private Function INSERT() As String
Dim SQLcon As New SqlConnection
Dim SQLdr As SqlDataReader
Try
SQLcon.ConnectionString = "Data Source=#####;Initial Catalog=OJT;Persist Security Info=True;User ID=####;Password=#####"
Dim SQLcmd As New SqlCommand("INSERT INTO dbo.Patients(pIDNo,pLName,pFName,pMI,pSex,pStatus,pTelNo,pDocID,pAddr,pStreet,pBarangay,pCity,pProvince,pLNameKIN,pFNameKIN,pMIKIN,pRelationKIN) VALUES('" & LabelPNumber.Text & "','" & txtLname.Text & "','" & txtFname.Text & "','" & txtMI.Text & "','" & txtPatientSex.Text & "','" & txtPatientSex.Text & "','" & txtPatientTelNo.Text & "','" & txtPatientDoctor.Text & "','" & txtStreetNumber.Text & "','" & txtStreetName.Text & "','" & txtBarangay.Text & "','" & txtCity.Text & "','" & txtProvince.Text & "','" & txtKinLname.Text & "','" & txtKinFname.Text & "','" & txtKinMI.Text & "','" & txtRelationToPatient.Text & "') ", SQLcon)
SQLcon.Open()
MsgBox("Patient Added!", MsgBoxStyle.Information)
SQLdr = SQLcmd.ExecuteReader()
Catch ex As Exception
MessageBox.Show("Error Occured, Can't Add Patient!" & ex.Message)
Finally
SQLcon.Close()
End Try
Return "done"
End Function
Basically anywhere you're concatenating strings together to create your SQL statement, especially that which comes from user input, is vulnerable.
Instead of doing this use SQL parameters, which can be added to the Parameters property of your SQL command (SQLcmd here).
I'll show you an example with one of your parameters - change your SQLCommand text to:
INSERT INTO dbo.Patients(pIDNo, ...)
VALUES(#pIDNo, ...)
Where #pIDNo is a "placeholder" in the string for the parameter value, which is sent separately from the command in the SQLParameters collection.
Then you can add a parameter with the same name as this "placeholder", and the value (it will derive the type from the value provided for you).
Here's the example from earlier:
SQLcmd.Parameters.AddWithValue("#pIDNo", LabelPNumber.Text)