i using function vb.net. i'm query sql datagridview , insert data datagridview databse function.
but error in function: name 'exhbk13004' not permitted in context. constants, expressions, or variables allowed here. column names not permitted.
i want using function insert database.
table clother
name type no (pk) int code nvarchar(12) rclother int cidetail int po nvarchar(50) code (button save)
private sub btsave_click(byval sender system.object, byval e system.eventargs) handles btsave.click integer = 0 dgvitem.rows.count - 1 sendpdtstatus = finsertclother(cstr(dgvitem.rows(i).cells(0).value), cint(dgvitem.rows(i).cells(1).value), cint(dgvitem.rows(i).cells(2).value), _ dgvitem.rows(i).cells(3).value) next end sub code function
public function finsertclother(byval code string, byval rclother integer, byval cidetail integer, byval po string) dim tr sqltransaction dim sqlcom new sqlcommand dim sqlinsert string dim returnvalue integer tr = conn.begintransaction sqlcom.connection = conn sqlinsert = "insert clother " sqlinsert &= "(code,rclother,cidetail,po) " sqlinsert &= "values(" & code & "," & rclother & "," & cidetail & "," & po & ")" sqlcom.transaction = tr sqlcom.commandtext = sqlinsert sqlcom.commandtype = commandtype.text returnvalue = sqlcom.executescalar << line error if returnvalue = 0 tr.commit() else tr.rollback() end if return returnvalue end function i try debug result
name value sqlcom.commandtext "insert clother (code,rclother,cidetail,po) values(050030543003,5022,30543,exhbk13004/3)" sqlinsert "insert clother (code,rclother,cidetail,po) values(050030543003,5022,30543,exhbk13004/3)" only field "po" don't insert database.
thanks time. :))
you need put string values in quotes.
sqlinsert &= "values('" & code & "'," & rclother & "," & cidetail & ",'" & po & "')" that said, should not build query string using concatenation. makes query subject sql injection attack. instead, should use parametrized query. (as steve shows in answer).
Comments
Post a Comment