Home/ Questions/Q 9242701
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T08:38:09+00:00

i am working on an application which will allow the user to add a

  • 0

i am working on an application which will allow the user to add a company via the form. i a struggling on inserting the data into the MySQL DB in the INSERT query. the query is sound as it will work when directly applied, however the application won’t commit…here is my code below…

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click

           sqlconnection.Close()

Dim com As New MySqlCommand("INSERT INTO companies VALUES(company_id, '" & TextBox1.Text & "', '" & RichTextBox1.Text & "', '" & TextBox4.Text & "', '" & TextBox5.Text & "', '" & ComboBox6.Text & "', '" & TextBox2.Text & "', '" & TextBox7.Text & "', '" & TextBox3.Text & "', '" & ComboBox2.Text & "', '" & RichTextBox3.Text & "', '" & ComboBox5.Text & "', '" & RichTextBox2.Text & "', '" & ComboBox7.Text & "', '" & ComboBox1.Text & "', '" & ComboBox4.Text & "';", con)

        con.Open()

        com.ExecuteNonQuery()

        con.Close()

        MsgBox("committed")

Thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    That’s what you get for not using parametrized query.
    Probably in one or more of your textboxes or richtextboxes an apostrophe causes your string concatenation to confuse everything.
    Suppose that TextBox1 contains 'Acme's Inc.'. Now your string query text becomes

    INSERT INTO companies VALUES (company_id, 'Acme's Inc.', 
                                               ^

    See the syntax error caused by blindly string concatenation?

    I can’t write a complete replacement of your code here because so many controls with undescriptive names. However you should write something like this

    Dim cmdText = "INSERT INTO companies VALUES (@companyID, @param1, @param2, ....etc")
Dim com as New MySqlCommand(cmdText, con)
com.Parameters.AddWithValue("@companyID", company_id)
com.Parameters.AddWithValue("@param1", textbox1.Text)
.... 'and so on'
con.Open()
com.ExecuteNonQuery()

    Apart from the quoting problem, correct representation of dates and decimal numbers for the underlying database system you have another big problem. SQL Injection (This is just an instructive link because SQL Injection is a very large topic)

    So at the end

    NEVER USE STRING CONCATENATION TO BUILD SQL QUERIES.

    • 0