Reputation: 485
I have some VB code trying to execute a sql in a function
Public Shared Function getBackgroundInfo(ByVal aID As Guid) As pd_ABC
Dim SQLCMD As New SqlCommand
Dim BackgroundInfoDS As New DataSet()
SQL = "select * from tblABC where ID = '" & aID & "'"
.....
both my ID and aID is GUID type,
but visual studio shows an error on where ID = '" & aID & "'"
I wonder if there is a better way to do this? Or do I need to use parameterized query?
Thanks for suggestions!
Upvotes: 0
Views: 4474
Reputation: 41589
"select * from tblABC where ID = '"
is a string, aID
is a guid.
When you add aID
into your string, use aID.ToString()
.
I would definitely recommend a parameterized version of your code though - for safety, code quality and general good practice.
Upvotes: 4
Reputation: 125650
You can call ToString()
on Guid
instance to get string representation of a guid:
SQL = "select * from tblABC where ID = '" & aID.ToString() & "'"
And answering your other question
Or do I need to use parameterized query?
You don't need to, but you probably should. It's safer and more readable to use parameterized queries.
Upvotes: 1