9 Replies - 314 Views - Last Post: 17 April 2013 - 10:07 PM Rate Topic: -----

#1 Adqusit  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 143
  • Joined: 02-March 13

I wan to improve my code

Posted 17 April 2013 - 07:55 AM

Hi. Earlier to my coding, i was using a query in my project was like this:

Dim ins As String = " insert into ProductBasicInfo (ProdId, ProdName, Description, Manufacturer) values (" & txtProdID.Text.Trim & ", '" & txtProdName.Text.Trim & "', '" & txtProdDesc.Text.Trim & "', '" & txtProdManuf.Text.Trim & "')"
Dim cmd As New SqlCommand(str, cn)
            cmd.CommandType = CommandType.Text
            da.InsertCommand = cmd
            da.InsertCommand.ExecuteNonQuery()



But later on i learned parametrized query.

Now i learned that that there is a way, by which you can create different functions in your module and just send them parameters from each form and that will work: So i tried like this:

This is my module code, the function which receives the values:

#Region "Insertion"

    Public Sub Insertion(ByVal tblName As String, ByVal columns As String, ByVal Parameters As String)

        Try
            cmdsql1.CommandText = "insert into " & tblName & " ( " & columns & ")  values  ( " & Parameters & ")"
            cmdsql1.Connection = Conn()
            cmdsql1.ExecuteNonQuery()

        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try
    End Sub

#End Region


and this is my form sending code on save button:

Try
            Insertion("ProductBasicInfo", "ProdId, ProdName, Description, Manufacturer", " " & txtProdID.Text.Trim & ", '" & txtProdName.Text.Trim & "', '" & txtProdDesc.Text.Trim & "', '" & txtProdManuf.Text.Trim & "'")
            MessageBox.Show("Record Inserted Successfully")
        Catch ex As Exception

            MessageBox.Show(ex.Message)

        End Try


Now i want expert opinion that whether this way of coding is valid or not?

Is This A Good Question/Topic? 0
  • +

Replies To: I wan to improve my code

#2 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8374
  • View blog
  • Posts: 31,122
  • Joined: 12-June 08

Re: I wan to improve my code

Posted 17 April 2013 - 07:55 AM

Did you forget a question?
Was This Post Helpful? 0
  • +
  • -

#3 Adqusit  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 143
  • Joined: 02-March 13

Re: I wan to improve my code

Posted 17 April 2013 - 08:18 AM

I've asked a question:

Quote

Now i want expert opinion that whether this way of coding is valid or not?

Was This Post Helpful? 0
  • +
  • -

#4 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8374
  • View blog
  • Posts: 31,122
  • Joined: 12-June 08

Re: I wan to improve my code

Posted 17 April 2013 - 08:23 AM

Ah.. your post cut off at "But later on i learned parametrized query.".
Was This Post Helpful? 0
  • +
  • -

#5 Adqusit  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 143
  • Joined: 02-March 13

Re: I wan to improve my code

Posted 17 April 2013 - 08:30 AM

its not cut off there modi.

Did you get my point, what i want to learn?
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8374
  • View blog
  • Posts: 31,122
  • Joined: 12-June 08

Re: I wan to improve my code

Posted 17 April 2013 - 08:38 AM

First off - what youa re doing there is not 'parametrized' queries. You _need_ to get into the habit of using those.

Second - no, setting a giant string on the way in isn't any more effective than doing it in the code.

Public Sub Insertion(ByVal tblName As String, ByVal columns As String, ByVal Parameters As String)


You should have a variable for each object you want to save as the 'insertion' input parameters, and then, inside insertion, you want to create a parametrized query.

Passing the buck upstream on when you cobble together a string really does not provide a benefit.

http://social.msdn.m...c-4fca2c9e1ea2/
http://social.msdn.m...3-4f2a6be250ac/
http://www.dreaminco...asics-in-vbnet/
Was This Post Helpful? 0
  • +
  • -

#7 Adqusit  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 143
  • Joined: 02-March 13

Re: I wan to improve my code

Posted 17 April 2013 - 08:48 AM

Dear modi:

I'm using the same parametrized Query. But what I actually want to learn is that, I am using this SQL Injection query in module way, but I want is to use the parametrized query for module level? I don't understand the how to set up the parametrized query for module? I tried it but now understanding at all.
Was This Post Helpful? 0
  • +
  • -

#8 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8374
  • View blog
  • Posts: 31,122
  • Joined: 12-June 08

Re: I wan to improve my code

Posted 17 April 2013 - 08:54 AM

Did you flip through those links? They outline it pretty well.

The key is to look where they start using the ".Parameters" collection.
<SqlCommand object>.Parameters.AddWithValue(...)

Was This Post Helpful? 0
  • +
  • -

#9 Adqusit  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 143
  • Joined: 02-March 13

Re: I wan to improve my code

Posted 17 April 2013 - 10:00 PM

In post # 7. The last line is:

Quote

I tried it but now understanding at all.


I tried but not understanding at all.
Was This Post Helpful? 0
  • +
  • -

#10 Adqusit  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 143
  • Joined: 02-March 13

Re: I wan to improve my code

Posted 17 April 2013 - 10:07 PM

I studied the links you provided. Its the thing, which is done on each form.

What i want is that from my forms, i pass the parameters to module, and all the things will be done in module and just result will be displayed to me on my form. thats it.

Currently, I'm using the straight query way, in which sql injection may harm the application, but what i want is to use Parameterized query in module level.

Did you get my idea?

This post has been edited by Adqusit: 17 April 2013 - 10:08 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1