I just learnt to use the "Parameters.AddWithValue" to prevent harm of sql injections.However, I have only been able to do this with the INSERT, but I have trouble using that with SELECT and UPDATE. Please Look at my code with UPDATE
Try ConnectionSettings() con.Open() Dim SqlUpdate As String SqlUpdate = "UPDATE tblStudents SET Surname = @Surname" cmd.Parameters.AddWithValue("@Surname", txtSurname.Text) cmd = New MySqlCommand(SqlUpdate, con) cmd.ExecuteNonQuery() MsgBox("Updated") con.Close() Catch ex As MySqlException MsgBox("Error " & ex.Message) End Try
The cmd.ExecuteNonQuery() was highlighted and I can also see the error msg "The Parameter '@Surname' must be defined", I thought I had defined it by
cmd.Parameters.AddWithValue("@Surname", txtSurname.Text)? I get the same with SELECT statement.I've tried a Google search to no avail.
Any help please?