About Escape String for VB.NET connect MySQL

drexler_kk

Hello all, I'm using VB.NET(VS2003) connect with MySQL5.0 database. I'm trying to migrate the previous system which is using VB6 to VB.NET here.I am not familiar with VB6 code and I found this problem below:

Public Function CSQLQuote(ByVal Value As String) As String
' Value = Replace(Value, "\", "\\")
' CSQLQuote = Replace(Value, "'", "''")
CSQLQuote = mysql_escape_string(Value)
End Function

'API DECLARATION FOR mysql_escape_string FUNCTION CALL
Public Declare Function api_mysql_escape_string Lib "libmySQL.dll" _
Alias "mysql_escape_string" _
(ByVal strTo As String, _
ByVal strFrom As String, _
ByVal lngLength As Long _
) As Long

Public Function mysql_escape_string(dirtystring As String) As String
Dim strFrom As String 'SOURCE STRING PASSED TO FUNCTION
Dim lngFromLength As String 'LENGTH OF SOURCE STRING
Dim strTo As String 'DESTINATION STRING COMING FROM FUNCTION
Dim lngToLength As Long 'LENGTH OF DESTINATION STRING

strFrom = dirtystring           'STORE FUNCTION INPUT
lngFromLength = Len(strFrom)    'GET LENGTH OF INPUT

strTo = Space(lngFromLength \* 2 + 1) 'ALLOCATE A BUFFER FOR OUTPUT OF FUNCTION
                                     '2 BYTES PER CHARACTER PLUS A BYTE FOR NULL
                                     'TERMINATOR USED BY FUNCTION

lngToLength = api\_mysql\_escape\_string(strTo, strFrom, lngFromLength) 'CALL API

mysql\_escape\_string = Left(strTo, lngToLength) 'TRIM NULL TERMINATOR

End Function

These function will be called inside the SQL query like this:

strSQL = "SELECT LocationCode, TerminalCode, Source, Prefix, LastNo, Length" & _
" FROM POS_RunningNo" & _
" WHERE LocationCode='" & CSQLQuote(strLocationCode) & "'" & _
" AND TerminalCode ='" & CSQLQuote(strTerminalCode) & "'" & _
" AND Source='" & CSQLQuote(strSource) & "'"

I'm wondering I still need to used the above function apply on my new VB.NET system or I can just directly used the normal SQL query? And anyone can tell me whats the function above trying to do? Hope someone can give me some ideas about it.Thanks for reading. Regards Drex

N a v a n e e t h

You don't need to escape like this in VB.NET. Use parameterized queries instead.

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions

drexler_kk

Thanks Navaneeth for your solution here. I have search and found that Here[^] give the example which using oledb connection but I'm currently using ODBC to connect with MySQL 5.0 database. Can I still used the parameterize query with my ODBC connection? Do anyone have any sameples about this for me here? Hope someone can give me some sample. Thank you all for reading. Regards Drex

N a v a n e e t h

drexler_kk wrote:

Can I still used the parameterize query with my ODBC connection?

I believe so. ODBC is considered slow as it adds an extra layer to the communication. So it's better to go with "MySQL Connector .NET" which is built specialy for MySQL. You can download it from here[^]

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions

drexler_kk

Yeah,I have read some articles talk about it too. But I found a problem with the MySQL .NET connector actually. I'm doing with VB.NET Window Form Application here. The version of Visual Studio .NET 2003 Version 7.1 for my VB.NET developer tools now doesn't support the MySQL .NET connector. It doesn't allow me to Add Reference for the MySQL.Data.dll file into my project. So I have really no choices to used ODBC Connector here to connect with MySQL 5.0 database. You have any other better recommendation for me? Thanks for reading everyone. Regards Drex

N a v a n e e t h

drexler_kk wrote:

.NET 2003 Version 7.1

Ahh, then you might need to use ODBC. BTW, have you checked MySQL connector has a .NET 1.1 compatible version ?

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions

drexler_kk

Hello Navaneeth, Yes,I have no choices so I choosed to used ODBC connector. I have check the .NET 1.1 but its still not compatible with the VS2003 as I'm using here. I'm wondering is that still possible for me to used the parameterized query as suggested with this ODBC? I'm just using the most simple query,is that any good and bad for the query I'm using now for long term in my window form application? Hope to hear from you all again soon. Thanks for reading and giving more solution. Regards Drex

N a v a n e e t h

drexler_kk wrote:

I'm wondering is that still possible for me to used the parameterized query as suggested with this ODBC?

Yeah, you can always use parameterized queries with ODBC. I guess ? is used to represent parameters in ODBC. So you can supply a query like

SELECT *
FROM Customers
WHERE CustomerId = ?CustId

?CustId is the parameter here. You can add this to OdbcCommand object's Parameters collection.

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions

drexler_kk

Thank you for the solution Navaneeth. I will change the query in my WinForm from now on. Its really a new knowledge for me doing this kind of query to make a better system. Thanks for your effort. Regards Drex :)

N a v a n e e t h

Glad it was helpful. Parameterized queries helps you to avoid SQL Injection attacks. CP has a good article[^] on the subject, no doubt it's worth reading.

All C# applications should call Application.Quit(); in the beginning to avoid any .NET problems.- Unclyclopedia How to use google | Ask smart questions