Quote:
Originally Posted by Abyss
Just out of interest, what would be the correct way to build the SQL string? This database is under minimal risk to be targetted by a malicious user though it would be good to know for the future.
|
I haven't worked in VB.NET much, or really at all, but I suspect it would be something like this:
Dim command As ADODB.Command
Dim usernameParam As ADODB.Parameter
Set command = New ADODB.Command
command.CommandText = "SELECT * FROM users WHERE username = @username"
command.ActiveConnection = CurrentProject.Connection
Set usernameParam = New ADODB.Parameter
usernameParam.ParameterName = "username"
usernameParam.Type = adVarChar
usernameParam.Value = "Bob"
command.Parameters.Append usernameParam
Set rs = command.Execute()
Long winded, I know. Maybe there's a more concise way.