Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<pre><code>Dim email As String = "anyone@anywhere.com" Dim stringValue As String Using conn As OdbcConnection = New OdbcConnection(MyConString) conn.Open() Dim sql = "Select ... From userInfo Where emailAddress = @Email" Using cmd As OdbcCommand = New OdbcCommand(sql, conn) cmd.Parameters.AddWithValue("@Email", email) Dim reader As OdbcDataReader = cmd.ExecuteReader() While reader.Read() stringValue = reader.GetString(0) End While End Using conn.Close() End Using 'To do an Update Using conn As OdbcConnection = New OdbcConnection(MyConString) conn.Open() Dim sql As String = "Update userInfo Set Column = @Value Where PK = @PK" Using cmd As OdbcCommand = New OdbcCommand(sql, conn) cmd.Parameters.AddWithValue("@Email", email) cmd.ExecuteNonQuery() End Using End Using 'To do an Insert Using conn As OdbcConnection = New OdbcConnection(MyConString) conn.Open() Dim sql As String = "Insert userInfo(Col1,Col2,...) Values(@Value1,@Value2...)" Using cmd As OdbcCommand = New OdbcCommand(sql, conn) cmd.Parameters.AddWithValue("@Col1", value1) cmd.Parameters.AddWithValue("@Col2", value2) ... cmd.ExecuteNonQuery() End Using End Using </code></pre> <p>First, even in ASP Classic, it is an absolutely horrid approach to concatenate a value directly into a SQL statement. This is how SQL Injection vulnerabilities happen. You should always sanitize values that get concatenated into SQL statements. In .NET, you can use parametrized queries where you replace the values that go into your query with a variable that begins with an @ sign. You then add a parameter to the command object and set your value that way. The Command object will sanitize the value for you. </p> <p><strong>ADDITION</strong> You mentioned in a comment that your ASP Classic code is shorter. In fact, the .NET code is shorter because there are a host of things happening that you do not see and have not implemented in your ASP Classic code. I already mentioned one which is sanitizing the inputs. Another is logging. Out of the box, if an exception is thrown, it will log it in the Event Log with a call stack. To even get a call stack in ASP Classic is a chore much less any sort of decent logging. You would need to set On Error Resume Next and check for err.number &lt;> 0 after each line. In addition, without On Error Resume Next, if an error is thrown, you have no guarantee that the connection will be closed. It <em>should</em> be closed, but the only way to know for sure is to use On Error Resume Next and try to close it.</p> <p>Generally, I encapsulate all of my data access code into a set of methods so that I can simply pass the SQL statement and the parameter values and ensure that it is called properly each time. (This holds true for ASP Classic too).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload