SQL Query
---------
Dim sSQL As String = "SELECT FirstName, LastName, Title FROM Employees WHERE ((EmployeeID >" & sEmpId & " AND HireDate >#" & sHireDate & "#) AND Country = '" & sCountry & "')
Our query take input values from variables that we defined before (sEmpId, sHireDate, sCountry) so we have to deal with various marker signs, such as quote (') to enclose our string variables and the pound sign (#) to enclose our date type variables. These are the rule of thumbs, so if you do not follow them, your query will not work!
parameterized Query
-------------------
'Define our sql query
Dim sSQL As String = "SELECT FirstName, LastName, Title " & _
"FROM Employees " & _
"WHERE ((EmployeeID > ? AND HireDate > ?) AND Country = ?)"
Take a look at the variable (sSQL) where we define our parameterized query. We use the question mark sign (?) for each input into the query. Notice that we use the question mark regardless of the type of our variable. To associated the parameter in the query we have to add parameters to the Parameters collection of the Command object. You can give the name of your parameter as whatever you want, as long as it's unique! Remember that you have to add the parameter in the same order as the order of the question mark signs that you put in your query!
oCmd.Parameters.Add("EmployeeID", sEmpId)
oCmd.Parameters.Add("HireDate", sHireDate)
oCmd.Parameters.Add("Country", sCountry)
***** Parameterized queries in SQL server are cached and resused
No comments:
Post a Comment