Problem in insert data form datagridview to sql table

Hello every one

am building a vb.net project with sql 2012 as bakend

I have a problem in insert command  my code is as under

 Dim n, m As Integer

        n = Me.dgv.Rows.Count - 1
        For m = 0 To n - 1
            cmdinsert.Connection = connection
            cmdinsert.CommandText = "INSERT INTO amountdrcr(todate,ac,drcr,sp,crid,amount,Description)values(" & TodateDateTimePicker.Text & "," & Val(dgv.Rows(m).Cells("id").FormattedValue) & ",'Cr','Receipt Cash'," & SrTextBox.Text & "," & Val(dgv.Rows(m).Cells("Amount").FormattedValue) & "," & dgv.Rows(m).Cells("Narration").Value & ")"


            cmdinsert.ExecuteNonQuery()

        Next

when I pressed save btn then error show

 Invalid column name 'abc'.

actually i type abc in narration column

please help me

 

March 23rd, 2015 11:14am

Hello,

Never generate dynamically SQL Statements in this way with user entry, it will always cause issues like here and opens the door widely for SQL injection.

Always use parameterized queries instead; see e.g. SqlCommand.Parameters Propert

March 23rd, 2015 11:49am

Hi ABDULLAHAAJSOFT,

As the issue is more related to VB.NET programming, I would like to recommend you post the question in the Visual Basic forum. It is appropriate and more experts will assist you.


Thanks,
Lydia Zhang

March 23rd, 2015 11:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics