Home Forums Programming General AddWithValue issue - Update the current field content ASP.Net/SQL RE: AddWithValue issue - Update the current field content ASP.Net/SQL

  • July 8, 2013 at 8:38 am

    #1630467

    You are mixing up the SQL with the VB and confusing yourself. Not to mention, introducing a massive SQL-injection hole, by building up the string in that fashion.

    Instead, define @variables within the SQL string and use AddWithValue to populate them.

    For example:

    Dim strSQL02 As String = "Update [ClinicTest2].[dbo].[ICDbS_Products] SET " & _

    "NewTotal = (NewTotal + @qty_to_add) " & _

    "WHERE ProductNoID = @prod_id"

    Dim myCommand02 As New SqlCommand(strSQL02, objConn02)

    myCommand02.Parameters.AddWithValue("@qty_to_add", QtyToAddBack)

    myCommand02.Parameters.AddWithValue("@prod_id", ItemNumber)

    You should also look into separating your SQL code from your VB code, preferably in the form of stored procedures but possibly with a separate class of SQL strings. For best results, the SQL strings should be constants.