how do I specify a variable in cmd.Parameters.AddWithValue(“@” & Variable & “” , “”) in...












-1















The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field



Code:



 Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here


cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()


So my question is how do i write the following statement correctly:-



       cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")









share|improve this question

























  • The scary part here appears to be that this is open to injection.

    – Larnu
    Dec 29 '18 at 13:25











  • but the parameter would be consisting field name not data

    – Far
    Dec 29 '18 at 13:31













  • You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?

    – Dan Guzman
    Dec 29 '18 at 13:50






  • 2





    start by NOT using addwithvalue anywhere.

    – SMor
    Dec 29 '18 at 16:01






  • 1





    @Dan Guzman You can't parameterize column names, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...

    – Çöđěxěŕ
    Dec 29 '18 at 16:12


















-1















The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field



Code:



 Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here


cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()


So my question is how do i write the following statement correctly:-



       cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")









share|improve this question

























  • The scary part here appears to be that this is open to injection.

    – Larnu
    Dec 29 '18 at 13:25











  • but the parameter would be consisting field name not data

    – Far
    Dec 29 '18 at 13:31













  • You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?

    – Dan Guzman
    Dec 29 '18 at 13:50






  • 2





    start by NOT using addwithvalue anywhere.

    – SMor
    Dec 29 '18 at 16:01






  • 1





    @Dan Guzman You can't parameterize column names, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...

    – Çöđěxěŕ
    Dec 29 '18 at 16:12
















-1












-1








-1








The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field



Code:



 Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here


cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()


So my question is how do i write the following statement correctly:-



       cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")









share|improve this question
















The field in which the data should be inserted is actually dependent on the store which is active currently. For that reason I want the parameter be dynamic based on the case but I am not able to figure out how do I mention a variable inside the Parameter function as name of the field



Code:



 Dim whichListID = "Store1ListID"
Str = "Insert Into Customer ([" & whichListID & "], [AccountBalance])"&
"Values(@" & whichListID & ",@AccountBalance)"
cmd = New SqlCommand(Str, con2) 'Fine up till here


cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")
cmd.Parameters.AddWithValue("@AccountBalance", 0)
con2.Open()
cmd.ExecuteNonQuery()
con2.Close()


So my question is how do i write the following statement correctly:-



       cmd.Parameters.AddWithValue("" & "@" & whichListID & "", "45675671")






sql-server vb.net






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 29 '18 at 13:35







Far

















asked Dec 29 '18 at 13:21









FarFar

48112




48112













  • The scary part here appears to be that this is open to injection.

    – Larnu
    Dec 29 '18 at 13:25











  • but the parameter would be consisting field name not data

    – Far
    Dec 29 '18 at 13:31













  • You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?

    – Dan Guzman
    Dec 29 '18 at 13:50






  • 2





    start by NOT using addwithvalue anywhere.

    – SMor
    Dec 29 '18 at 16:01






  • 1





    @Dan Guzman You can't parameterize column names, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...

    – Çöđěxěŕ
    Dec 29 '18 at 16:12





















  • The scary part here appears to be that this is open to injection.

    – Larnu
    Dec 29 '18 at 13:25











  • but the parameter would be consisting field name not data

    – Far
    Dec 29 '18 at 13:31













  • You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?

    – Dan Guzman
    Dec 29 '18 at 13:50






  • 2





    start by NOT using addwithvalue anywhere.

    – SMor
    Dec 29 '18 at 16:01






  • 1





    @Dan Guzman You can't parameterize column names, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...

    – Çöđěxěŕ
    Dec 29 '18 at 16:12



















The scary part here appears to be that this is open to injection.

– Larnu
Dec 29 '18 at 13:25





The scary part here appears to be that this is open to injection.

– Larnu
Dec 29 '18 at 13:25













but the parameter would be consisting field name not data

– Far
Dec 29 '18 at 13:31







but the parameter would be consisting field name not data

– Far
Dec 29 '18 at 13:31















You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?

– Dan Guzman
Dec 29 '18 at 13:50





You can't parameterize column names. It seems odd to insert the column name as a column value too. Is that your intent?

– Dan Guzman
Dec 29 '18 at 13:50




2




2





start by NOT using addwithvalue anywhere.

– SMor
Dec 29 '18 at 16:01





start by NOT using addwithvalue anywhere.

– SMor
Dec 29 '18 at 16:01




1




1





@Dan Guzman You can't parameterize column names, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...

– Çöđěxěŕ
Dec 29 '18 at 16:12







@Dan Guzman You can't parameterize column names, are you sure you cant? Theres nothing stopping me from calling an sp which has params, that can take column names to build what I want using dynamic sql...

– Çöđěxěŕ
Dec 29 '18 at 16:12














1 Answer
1






active

oldest

votes


















-1














I put the following line of code which solved the problem



 Dim Param As String="@" & WhichListID
cmd.Parameters.AddWithValue(Param , "45675671")





share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53969948%2fhow-do-i-specify-a-variable-in-cmd-parameters-addwithvalue-variable%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    -1














    I put the following line of code which solved the problem



     Dim Param As String="@" & WhichListID
    cmd.Parameters.AddWithValue(Param , "45675671")





    share|improve this answer




























      -1














      I put the following line of code which solved the problem



       Dim Param As String="@" & WhichListID
      cmd.Parameters.AddWithValue(Param , "45675671")





      share|improve this answer


























        -1












        -1








        -1







        I put the following line of code which solved the problem



         Dim Param As String="@" & WhichListID
        cmd.Parameters.AddWithValue(Param , "45675671")





        share|improve this answer













        I put the following line of code which solved the problem



         Dim Param As String="@" & WhichListID
        cmd.Parameters.AddWithValue(Param , "45675671")






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 29 '18 at 14:18









        FarFar

        48112




        48112






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53969948%2fhow-do-i-specify-a-variable-in-cmd-parameters-addwithvalue-variable%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Monofisismo

            compose and upload a new article using a custom form

            How to correct the classpath of spring boot application so that it contains a single, compatible version of...