With both subs you must enter the values as you would write them into a sql string i.e. 'mustsurroundstrings'

I'm rather new at VB.Net and SQL but these work for me and are seem pretty efficient. If anyone has a way to improve on them or finds a flaw in them please feel free to email me [snipped].

Edited 5 Years Ago by Ezzaral: Snipped email. Please keep it on site.

Public Sub AddRecord(ByVal tbl As String, ByVal fields As String, ByVal values As String)
        Dim con As New SqlConnection
        Dim sqlcmd As SqlCommand
        con.ConnectionString = My.Resources.ConnString
        Try
            con.Open()
            Try
                sqlcmd = New SqlCommand("INSERT INTO [" & tbl & "] (" & fields & ") VALUES(" & values & ")", con)
                Dim check As Integer = sqlcmd.ExecuteReader.RecordsAffected
                If check < 1 Then
                    MsgBox("Record was not added to " & tbl)
                End If
            Catch ex As Exception
                MsgBox(errormsg(ex))
            End Try
        Catch ex As Exception
            MsgBox(errormsg(ex))
        Finally
            con.Close()
        End Try

    End Sub

Public Sub UpdateRecord(ByVal tbl As String, ByVal id As String, ByVal fields As String, ByVal values As String)
        Dim con As New SqlConnection
        Dim sqlcmd As SqlCommand

        con.ConnectionString = My.Resources.ConnString
        Dim multifields() As String = {fields}
        Dim multivalues() As String = {values}

        If InStr(",", fields) Then
            multifields = Split(fields, ",")
        End If
        If InStr(",", values) Then
            multivalues = Split(values, ",")
        End If

        Try
            con.Open()
            Try
                For n As Integer = 0 To multifields.Length - 1
                    If multifields(n) <> "" Then
                        sqlcmd = New SqlCommand("UPDATE [" & tbl & "] SET=[" & multifields(n) & "]=" & multivalues(n) _
                                                & " WHERE ([Id]=" & id & ")", con)
                        Dim check As Integer = sqlcmd.ExecuteReader.RecordsAffected
                        If check < 1 Then
                            MsgBox("Record was not modified")
                        End If
                    End If
                Next
            Catch ex As Exception
                MsgBox(errormsg(ex))
            End Try
        Catch ex As Exception
            MsgBox(errormsg(ex))
        Finally
            con.Close()
        End Try
    End Sub
Private Sub btnLogin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnLogin.Click
        If txtUsername.Text = "" Then
            MsgBox("Please Enter Username")
        ElseIf txtPassword.Text = "" Then
            MsgBox("Please Enter Password")
        End If

        Try
            Dim con As New SqlConnection("Data Source=XXXX-B4C521B850\SQLEXPRESS;Initial Catalog=TT;Integrated Security=True")
            Dim ds1 As New DataSet
           
            Dim da1 As New SqlDataAdapter("select * from Login where UserName='" & Trim(txtUsername.Text) & "'and Password='" & Trim(txtPassword.Text) & "'", con)

            If da1.Fill(ds1) Then

                frmMdi.Show()
                Me.Hide()

            Else
                MsgBox("Invalid Password or Username")

            End If

        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
    End Sub

Edited 5 Years Ago by vishalrane: n/a

@vishalrane Your login form is pretty easy to bypass.
Change lines 10 - 14 to:

dim dc as sqlcommand 
dc.connection = con

dc.commandtext = "select count(*) from Login where UserName ='" &Trim(txtUsername.Text) & "' and Password='" & Trim(txtPassword.Text) & "'") 
con.open
dim result = dc.executescalar

if result = 1 then

(Written by heart, may contain typos or errors)

This way even if the query doesn't return the results you intend, the form won't show.

If you want to take things seriously get the QUOTENAME function involved when passing username and password.