PDA

Click to See Complete Forum and Search --> : inserting data into the database

NKarthick
April 15th, 2008, 04:37 AM
HI

i am selectin some values from the listbox and trasferring those to another listbox from which i need to store it into the database (sql2000)

the database connection is working correctly (i.e., i was able to retrieve the information from the database)
but i was not able ot insert an item into the database

i had established the connection and written the command in the following way


conn = New OleDbConnection("provider=SQLOLEDB;server=user-r;database=map;User Id=sa;Password=sa")
conn.Open()
command = New OleDbCommand("insert into dhf(muser,map1,map2,map3,map4,map5)values(muser,map1.map2,map3,map4,map5)", conn)
command.ExecuteNonQuery()



nut while executing hte query i am gettiing the following error

cannot save the name 'muser'is not permitted in this contextr , only constants, expressions or variab\bles allowed here.
column names are not premitted



please do me the need
Shuja Ali
April 15th, 2008, 05:08 AM
First of all you do not use OLEDBConnection to connect to a SQL Server. You should be using SQLConnection, look at System.Data.SQLClient.

Now your Insert query does not insert any actual values in the the database. What are "muser,map1.map2,map3,map4,map5"? Your T-SQL is wrong, you should read about the Query syntax from a book or MSDN. Insert Queries will usually work like this Insert Into TABLENAME (Field1, Field2, Field3) Values ('Value1', 'Value2', 'Value3')
MikeVallotton
April 15th, 2008, 08:39 AM
Change this:

insert into dhf(muser,map1,map2,map3,map4,map5)
values(muser,map1.map2,map3,map4,map5)

to this:

insert into dhf(muser,map1,map2,map3,map4,map5)
values(@muser,@map1,@map2,@map3,@map4,@map5)

if you use the SqlClient objects (which would be recommended).

Then add parameters to the SqlCommand object, like this:

scmd.Parameters.Add(...);

The SqlClient object are just like the OleDb objects in almost every respect. You can pretty much just global replace "Sql" for "OleDb".

The poster above me was just trying to give you some quick help, but it's not really a great idea to inline the values like this:

Insert Into TABLENAME (Field1, Field2, Field3)
Values ('Value1', 'Value2', 'Value3')
NKarthick
April 16th, 2008, 01:21 AM
hi mike,

i had already tried what u have given but its still not working and i have to get ht edatas from the list box i should not enter the datas directly as u have specified as

insert into tablename(field1,field2)values('value1','value2')
MikeVallotton
April 16th, 2008, 09:32 AM
When you inline values like that, you can open yourself up to some security risks, but you'll have to decide if that's acceptable or not.

When your statement looks like this:

insert into tablename(field1,field2)values('" + value1 + "','" + value2 + "')

I can set value2 equal to this:

value2 = "'); drop table tablename;";

And you'll execute this:

insert into tablename(field1,field2)values('whatever',''); drop table tablename;')

Does that make sense?

Do something like this - I'm not going to write it all for you:

Create a SqlConnection to your database.
Create a SqlCommand.
SqlCommand.CommandText = "insert into tablename (field1, field2) values (@field1, @field2)";
SqlCommand.Parameters.Add("@field1", "whatever");
SqlCommand.Parameters.Add("@field2", "whatever");
SqlCommand.ExecuteNonQuery();

If you're still having trouble, post your code.