A lot of questions in the VB.NET forum are database related. Most of the code that gets posted result in one or more comments like "use parameterized queries to avoid SQL injection attacks". I won't describe the nature of a SQL injection because it is easily looked up via google. There is a lengthy article at Wikipedia. What I will do here is give two examples of how to create queries using parameters. The first example uses SQLDB and the second uses OLEDB. The major difference between the two is that SQLDB uses named parameters while OLEDB uses positional parameters.
With SQLDB you give parameters names. Any name will do but it only makes sense to use a name that relates to the type of parameter. For example, if the corresponding database field is LastName you might name the parameter @lastName or @lname (all parameters must start with "@"). When you add the parameter values you can add them in any order and the @name you use must match the @name in the query string.
With OLEDB you specify a parameter with "?". When you add the parameters you must add them in the same order in which they appear in the query. The parameter names you use can have any name. This can lead to confusion as it might lead you to believe order doesn't matter. It is for this reason I much prefer SQLDB.
Another advantage to using parameterized queries is it avoids awkward syntax when building queries. Instead of
query = "SELECT * FROM mytable WHERE Name = '" & txtName.Text & "'"
query = "SELECT * FROM mytable WHERE Name = @name"
and if you need to set a name like O'Leary, instead of
query = "UPDATE mytable SET Name = '" & txtName.Text & "'"...
which would fail, or
query = "UPDATE mytable SET Name = '" & Replace(txtName.Text,"'","''") & "'"...
which is just butt ugly, the query
query = "UPDATE mytable SET Name = @name" ...
would automatically handle the embedded '
One more note - many people write queries that spew out over many lines with no formatting and no concern that the queries be human readable. Please note the format I use. The queries are spread over several lines. Fields line up making it easier to read the query with the keywords capitalized and the major ones appearing at the start of each line. The cost is a few embedded blanks. The payback is easier debugging and (important to me at least) prettier, and easier to modify code.
If you are using MS SQL and have the PUBS database installed you can try values for txtName.Text and txtPhone such as %e% and 4% to retrieve all names containing an "e" and with a phone number starting with a "4".
Edited by Reverend Jim: Changed back to code snippet