change your sql statement to be:
"INSERT into
Timecard(INEENO,INDTWE,INWKNO,INDYWK, INJBNO, INGLAN, INJCDI, INRGHR,
INOVHR, INOTHR, INOTTY) values(@ineeno, @indtwe, @inwkno... etc)"
Then do the following:
cmd.Parameters.Add(new SqlParameter("@ineeno", EmplID1.Text))
for each parameter (this may not be the right VB syntax, am a C# guy)
On 31 Oct, 14:53, Imstac <[EMAIL PROTECTED]> wrote:
> I've been looking for the proper code to use to use parameters in my
> insert statement but am not having any luck. Could you suggest a
> website for me to get this information? Also, should I be using a
> dataset instead of accessing my database directly? I'm not sure of
> the guidelines on when you should/shouldn't use a dataset.
>
> On Oct 30, 5:14 pm, Joe Enos <[EMAIL PROTECTED]> wrote:
>
>
>
> > First of all - classic sql injection attack-prone - switch to a
> > parametrized command or stored proc.
>
> > Second - shouldn't be difficult to debug - just step through it, find
> > out what the value of cmd.CommandText is, and dump it into your
> > database program - Management Studio or Query Analyzer, etc. You'll
> > probably find a missing single-quote or something like that.
>
> > On Oct 30, 3:09 pm, Imstac <[EMAIL PROTECTED]> wrote:
>
> > > I added an SQL insert statement to a button on my web form and when I
> > > debug I get the error: "Incorrect syntax near ',' " I've been over
> > > and over the code and can't figure out the problem. Could someone
> > > please take a look at my code and let me know if you see anything
> > > wrong?
>
> > > Protected Sub Button1_Click(ByVal sender As Object, ByVal e As
> > > System.EventArgs) Handles Button1.Click
> > > Dim oConn As New
> > > System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("CMSConnectionString").ConnectionString)
> > > Dim cmd As New System.Data.SqlClient.SqlCommand()
> > > cmd.Connection = oConn
> > > oConn.Open()
> > > cmd.CommandText = "INSERT into
> > > Timecard(INEENO,INDTWE,INWKNO,INDYWK, INJBNO, INGLAN, INJCDI, INRGHR,
> > > INOVHR, INOTHR, INOTTY) values(" & EmplID1.Text & ",'" &
> > > DatePicker1.TextValue & "'," & DD_week.Text & "," & DD_DayofWeek.Text
> > > & ",'" & jobno.Text & "','" & GLAcct.Text & "','" & DD_CostCode.Text &
> > > "'," & RegHrs.Text & ", " & OTHrs.Text & "," & OthHrs.Text & ",'" &
> > > DD_OthHourType.Text & "')"
> > > cmd.ExecuteNonQuery()
> > > oConn.Close()
>
> > > End Sub- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
