Question : SQL Query Problems

How can I change the below code to SQL Parameters? (I think this is what I need)

I have a problem where if lvitem.text has a ' in the text then it will not insert into my SQL table.

Example:
'Richard's here' - Will not insert because of the '
'Richards here' - Will insert as there is no '

I need to be able to insert into the field reqardless of the string.

Code Snippet:

1: 2: 3: 4: 5: 6:

For Each lvItem As ListViewItem In ListView1.Items Dim query2 As String = "INSERT INTO tblOrderLines(custref,orderref, Barcode, Product, price) values ( " & _ "'" & strCustRef & "','" & strOrderRef & "','" & lvItem.Text & "','" & lvItem.SubItems(1).Text.ToString & "','" & lvItem.SubItems(2).Text.ToString & "')" Dim result2 As Integer = New SqlCommand(query2, con).ExecuteNonQuery MessageBox.Show(query2) Next

Open in New Window

Select All

Answer : SQL Query Problems

I have used VarChar for all (SqlDbType.VarChar) but change to the correct datatypes.

I don't have VS right now, but should be something like this:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12:

Dim SQL As String = "INSERT INTO tblOrderLines(custref,orderref, Barcode, Product, price) values (@custref,@orderref, @Barcode, @Product, @price)" Using command As New SqlCommand(SQL, con) command.Parameters.Add("@custref", SqlDbType.VarChar).Value = strCustRef command.Parameters.Add("@orderref", SqlDbType.VarChar).Value = strOrderRef command.Parameters.Add("@Barcode", SqlDbType.VarChar).Value = lvItem.Text ' you don't need to replace symbols this way command.Parameters.Add("@Product", SqlDbType.VarChar).Value = lvItem.SubItems(1).Text.ToString command.Parameters.Add("@price", SqlDbType.VarChar).Value = lvItem.SubItems(2).Text.ToString Dim result As Integer = command.ExecuteNonQuery() ' ... End Using

Open in New Window

Select All