Question : SQL Query Problems

How can I change the below code to SQL Parameters? (I think this is what I need)

I have a problem where if lvitem.text has a ' in the text then it will not insert into my SQL table.

Example:
'Richard's here' - Will not insert because of the '
'Richards here' - Will insert as there is no '

I need to be able to insert into the field reqardless of the string.
Code Snippet:
1:
2:
3:
4:
5:
6:
For Each lvItem As ListViewItem In ListView1.Items
            Dim query2 As String = "INSERT INTO tblOrderLines(custref,orderref, Barcode, Product, price) values ( " & _
            "'" & strCustRef & "','" & strOrderRef & "','" & lvItem.Text & "','" & lvItem.SubItems(1).Text.ToString & "','" & lvItem.SubItems(2).Text.ToString & "')"
            Dim result2 As Integer = New SqlCommand(query2, con).ExecuteNonQuery
            MessageBox.Show(query2)
        Next

Answer : SQL Query Problems

I have used VarChar for all (SqlDbType.VarChar) but change to the correct datatypes.


I don't have VS right now, but should be something like this:

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
       Dim SQL As String = "INSERT INTO tblOrderLines(custref,orderref, Barcode, Product, price) values (@custref,@orderref, @Barcode, @Product, @price)" 
       Using command As New SqlCommand(SQL, con)  
                  command.Parameters.Add("@custref", SqlDbType.VarChar).Value = strCustRef
                  command.Parameters.Add("@orderref", SqlDbType.VarChar).Value = strOrderRef 
                  command.Parameters.Add("@Barcode", SqlDbType.VarChar).Value = lvItem.Text ' you don't need to replace symbols this way
                  command.Parameters.Add("@Product", SqlDbType.VarChar).Value = lvItem.SubItems(1).Text.ToString 
                  command.Parameters.Add("@price", SqlDbType.VarChar).Value = lvItem.SubItems(2).Text.ToString

                   Dim result As Integer = command.ExecuteNonQuery()  
                    ' ... 
         
       End Using
Random Solutions  
 
programming4us programming4us