Solved

Insert Statement for RichTextBox

Posted on 2009-05-06
6
205 Views
Last Modified: 2012-05-06
I am having trouble with the followini line of code that takes text from a rtb and saves it to sql2005 server
I am getting the error on the insert statement with the (@RTFData) part, of "expression expected for the @ in particular...

Any ideas would be very much appreciated


Dim conn As New SqlClient.SqlConnection("Server=myserver;Database=mydb;Trusted_Connection=yes;")

Dim command As New SqlClient.SqlCommand("insert into my_table(controlnumber,id_1, cde, de2, wa,stmp, eml) values ( '" & controlnumber.Text & "','" & j1.Text & "','" & bl.Text & "', '" & rm.Text & "', '" & wd.Text & "', '" & time100.Text & "','" & (@RTFData) & "')", conn)

 Command.Parameters.Add("@RTFData", SqlDbType.Text).Value = richtextbox1.Rtf
        conn.Open()
        Command.ExecuteNonQuery()
        conn.Close()
        conn.Dispose()
0
Comment
Question by:H-SC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 12

Accepted Solution

by:
GuitarRich earned 500 total points
ID: 24315816
The @RTFData bit isn't enclosed within speach marks so the compiler thinks its code. Change this line:
 Dim command As New SqlClient.SqlCommand("insert into my_table(controlnumber,id_1, cde, de2, wa,stmp, eml) values ( '" & controlnumber.Text & "','" & j1.Text & "','" & bl.Text & "', '" & rm.Text & "', '" & wd.Text & "', '" & time100.Text & "',@RTFData", conn)
That will now see the @RTFData as a parameter in the SQL - while your at it, it would be a good idea to change all the values to use parameters as doing it this way leaves you open to SQL Injection attacks.
0
 
LVL 1

Author Comment

by:H-SC
ID: 24315994
GuitarRich,

Many thanks for the reply...I tried that and keep getting error of "Incorrect syntax near '@RTFData'. any ideas??
0
 
LVL 1

Author Comment

by:H-SC
ID: 24316049
ok I think I have it, I put a ) after the @RTFData like
time100.Text & "',@RTFData)", conn)

and seems to work
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 12

Expert Comment

by:GuitarRich
ID: 24316110
I would probably code it more like this:

        Dim sql As String = "insert into my_table(controlnumber,id_1, cde, de2, wa,stmp, eml) values (@controlNumber, @j1, @bl, @rm, @wd, @time100, @RTFData)"
 
        Using conn As New SqlClient.SqlConnection("Server=myserver;Database=mydb;Trusted_Connection=yes;")
 
            conn.Open()
 
            Dim cmd As New SqlClient.SqlCommand(sql, conn)
            cmd.CommandType = CommandType.Text
 
            cmd.Parameters.AddWithValue("@controlNumber", controlNumber.Text)
            cmd.Parameters.AddWithValue("@j1", j1.Text)
            cmd.Parameters.AddWithValue("@bl", b1.Text)
            cmd.Parameters.AddWithValue("@rm", rm.Text)
            cmd.Parameters.AddWithValue("@wd", wd.Text)
            cmd.Parameters.AddWithValue("@time100", time100.Text)
            cmd.Parameters.AddWithValue("@RTFData", richtextbox1.Rtf)
 
            cmd.ExecuteNonQuery()
            conn.Close()
        End Using

Open in new window

0
 
LVL 1

Author Comment

by:H-SC
ID: 24316129
oh, quick question..

what are SQL Injection attacks?
0
 
LVL 12

Expert Comment

by:GuitarRich
ID: 24323651
in your earlier code  a user could write sql into the text box which would be executed against the db. something like
'); truncate table users go //
More info here: http://en.wikipedia.org/wiki/SQL_injection
you can prevent this by always using parameters in your sql.
 
0

Featured Post

Ready to get started with anonymous questions?

It's easy! Check out this step-by-step guide for asking an anonymous question on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: jpaulino
XML Literals are a great way to handle XML files and the community doesn’t use it as much as it should.  An XML Literal is like a String (http://msdn.microsoft.com/en-us/library/system.string.aspx) Literal, only instead of starting and ending with w…
I think the Typed DataTable and Typed DataSet are very good options when working with data, but I don't like auto-generated code. First, I create an Abstract Class for my DataTables Common Code.  This class Inherits from DataTable. Also, it can …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question