Retrieve data columnn info using ADO.NET

  • Thread starter Thread starter Jan Erik Hansen
  • Start date Start date
J

Jan Erik Hansen

I have a function with a dynamic sql block like this (fieldname and
fieldvalue are input parametrs to the function) :

strSQL = "UPDATE myTable SET " + fieldname + "=" + fieldvalue +
"' where myID = " + knr

I have to determine whether fieldname is a string or numeric to get the
correct
SQL syntax.

What is the fastest way to do this? (Code example is very helpful.)

I use SQL server 2000 and vb.net

Jan Erik Hansen
Oslo,Norway
 
use parameters... OK, you can /possibly/ get away with using direct
concatenation for the field-name (assuming that there is no user input
to this), but for the value, the correct syntax is simply:

"... SET FieldName = @Value"

And add a parameter to the command called @Value, with .Value =
fieldValue;

Most importantly, this protects you from injection. I can't do an
example in VB (am a C# person...).

Marc
 
I am a C# guy, but here is an example:

Marc's Solution is the way to go, but if you must use the dynamic
query in your example code, you can overload your method. Just call
MyMethod and the correct query will get created for you. See Below

function MyMethod(string fieldname, int fieldvalue) {

strSQL = "UPDATE myTable SET " + fieldname + "=" + fieldvalue +
"' where myID = " + knr
}

function MyMethod (string fieldname, string fieldvalue) {

strSQL = "UPDATE myTable SET " + fieldname + "=" + fieldvalue +
"' where myID = " + blah blah
}
 
Back
Top