how do I specify a variable in cmd.Parameters.AddWithValue(“@” & Variable & “” , “”) in...
The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field
Code:
Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()
So my question is how do i write the following statement correctly:-
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")

|
show 3 more comments
The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field
Code:
Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()
So my question is how do i write the following statement correctly:-
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")

The scary part here appears to be that this is open to injection.
– Larnu
Dec 29 '18 at 13:25
but the parameter would be consisting field name not data
– Far
Dec 29 '18 at 13:31
You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?
– Dan Guzman
Dec 29 '18 at 13:50
2
start by NOT using addwithvalue anywhere.
– SMor
Dec 29 '18 at 16:01
1
@Dan GuzmanYou can't parameterize column names
, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...
– Çöđěxěŕ
Dec 29 '18 at 16:12
|
show 3 more comments
The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field
Code:
Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()
So my question is how do i write the following statement correctly:-
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")

The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field
Code:
Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()
So my question is how do i write the following statement correctly:-
cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")


edited Dec 29 '18 at 13:35
Far
asked Dec 29 '18 at 13:21
FarFar
48112
48112
The scary part here appears to be that this is open to injection.
– Larnu
Dec 29 '18 at 13:25
but the parameter would be consisting field name not data
– Far
Dec 29 '18 at 13:31
You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?
– Dan Guzman
Dec 29 '18 at 13:50
2
start by NOT using addwithvalue anywhere.
– SMor
Dec 29 '18 at 16:01
1
@Dan GuzmanYou can't parameterize column names
, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...
– Çöđěxěŕ
Dec 29 '18 at 16:12
|
show 3 more comments
The scary part here appears to be that this is open to injection.
– Larnu
Dec 29 '18 at 13:25
but the parameter would be consisting field name not data
– Far
Dec 29 '18 at 13:31
You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?
– Dan Guzman
Dec 29 '18 at 13:50
2
start by NOT using addwithvalue anywhere.
– SMor
Dec 29 '18 at 16:01
1
@Dan GuzmanYou can't parameterize column names
, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...
– Çöđěxěŕ
Dec 29 '18 at 16:12
The scary part here appears to be that this is open to injection.
– Larnu
Dec 29 '18 at 13:25
The scary part here appears to be that this is open to injection.
– Larnu
Dec 29 '18 at 13:25
but the parameter would be consisting field name not data
– Far
Dec 29 '18 at 13:31
but the parameter would be consisting field name not data
– Far
Dec 29 '18 at 13:31
You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?
– Dan Guzman
Dec 29 '18 at 13:50
You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?
– Dan Guzman
Dec 29 '18 at 13:50
2
2
start by NOT using addwithvalue anywhere.
– SMor
Dec 29 '18 at 16:01
start by NOT using addwithvalue anywhere.
– SMor
Dec 29 '18 at 16:01
1
1
@Dan Guzman
You can't parameterize column names
, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...– Çöđěxěŕ
Dec 29 '18 at 16:12
@Dan Guzman
You can't parameterize column names
, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...– Çöđěxěŕ
Dec 29 '18 at 16:12
|
show 3 more comments
1 Answer
1
active
oldest
votes
I put the following line of code which solved the problem
Dim Param As String="@" & WhichListID
cmd.Parameters.AddWithValue(Param , "45675671")
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53969948%2fhow-do-i-specify-a-variable-in-cmd-parameters-addwithvalue-variable%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I put the following line of code which solved the problem
Dim Param As String="@" & WhichListID
cmd.Parameters.AddWithValue(Param , "45675671")
add a comment |
I put the following line of code which solved the problem
Dim Param As String="@" & WhichListID
cmd.Parameters.AddWithValue(Param , "45675671")
add a comment |
I put the following line of code which solved the problem
Dim Param As String="@" & WhichListID
cmd.Parameters.AddWithValue(Param , "45675671")
I put the following line of code which solved the problem
Dim Param As String="@" & WhichListID
cmd.Parameters.AddWithValue(Param , "45675671")
answered Dec 29 '18 at 14:18
FarFar
48112
48112
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53969948%2fhow-do-i-specify-a-variable-in-cmd-parameters-addwithvalue-variable%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The scary part here appears to be that this is open to injection.
– Larnu
Dec 29 '18 at 13:25
but the parameter would be consisting field name not data
– Far
Dec 29 '18 at 13:31
You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?
– Dan Guzman
Dec 29 '18 at 13:50
2
start by NOT using addwithvalue anywhere.
– SMor
Dec 29 '18 at 16:01
1
@Dan Guzman
You can't parameterize column names
, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...– Çöđěxěŕ
Dec 29 '18 at 16:12