Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Review Insert snippet lines 1

Status
Not open for further replies.
lance59

lance59

IS-IT--Management
Mar 6, 2007
50
US
Working on a project and wanted to make sure I am on the right track. This is my SQL Insert snippet. Is this the right way to do an Insert? It works just want to be sure I'm not missing anything.

TIA

This is my connection string. I have it in a module so I can use it other places.

Public conn_string As String = "server=SQL_2005;database=Test;UID=sa;Pwd=test"


Dim cn As New SqlConnection(conn_string)
Dim objCommand As New SqlCommand("", cn)
cn.Open()
objCommand.CommandText = "INSERT INTO patient_images(ENTERPRISE_ID,PRACTICE_ID,PERSON_ID,ENC_ID,ORIG_IMAGE_FILE,IMAGE_DESC,IMAGE_FILE,IMAGE_ID,CREATED_BY, MODIFIED_BY) VALUES('" & enterprise_id & "','" & practice_id & "', '" & person_id & "', '" & enc_id & "', '" & orig_image_file & "', '" & image_desc & "', '" & image_file & "', '" & image_id & "', '" & created_by & "', '" & modified_by & "')"
objCommand.ExecuteNonQuery()
cn.Close()
cn = Nothing


 
Sort by date Sort by votes
Yep you are missing a lot. Like something called sql-injection.

change to this (untested)

Code: 
 Dim cn As New SqlConnection(conn_string)
            Dim objCommand As New SqlCommand("", cn)
            cn.Open()
            objcommand.parameters.add(new sqlparameter("enterprise_id",sqltype.int)
            objcommand.parameters(0).value = enterprise_id
............ 'do all the parameters
            objCommand.CommandText = "INSERT INTO 
patient_images(ENTERPRISE_ID,PRACTICE_ID,PERSON_ID,ENC_ID,ORIG_IMAGE_FILE,IMAGE_DESC,IMAGE_FILE,IMAGE_ID,CREATED_BY, MODIFIED_BY) VALUES(@enterprise_id,@practice_id,@person_id,@ enc_id,@orig_image_file,@image_desc,@image_file,@image_id,@created_by ,@modified_by)"
            objCommand.ExecuteNonQuery()
            cn.Close()
            cn = Nothing

Since I can only guess the datatypes of the parameters I won't go any further but they should be the same as your databasetypes.

BTW created_by and modified_by can be done by using default values at the sql-server side.

Christiaan Baes
Belgium

My Blog
"In a system where you can define a factor as part of a third factor, you need another layer to check the main layer in case the second layer is not the base unit." - jrbarnett
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sal21
  • Locked
  • Question
INSERT label for each shape in form 1
Replies
6
Views
237
sal21
sal21
Niki_S
  • Locked
  • Question
How to insert excel sheet into sql server using vb 6?
Replies
6
Views
425
Andrzejek
Andrzejek
sal21
  • Locked
  • Question
insert shape in cell 4 of column 6 in a msflexgrid 1
Replies
5
Views
317
sal21
sal21
sal21
  • Locked
  • Question
Incorporate or insert the Italy map with the mouse move event in a form?
Replies
19
Views
564
sal21
sal21
Niki_S
  • Locked
  • Question
How to insert data into a grid by using another grid in vb 6?
Replies
2
Views
271
Andrzejek
Andrzejek

Part and Inventory Search

Sponsor

Back
Top