Creating a Parameterized Query

Creating a Parameterized Query

Rate This
  • Comments 39

I've been asked by a couple readers on how to pass parameters into a SQL statement to your database using the TableAdapters. I actually created a video on how to do this in the context of a search query (play video | download videoentire series). It's really easy to do this using the TableAdapter Query Configuration Wizard. Let's create a quick login form for an example.

I've got a table called Users in my database and I've created a Dataset called UsersDataset by opening up the Datasources window and adding a new datasource to my database. Then I created a form called LoginForm and from the Toolbox I dragged some labels and textboxes for the entry and a couple buttons, OK and Cancel, onto the form. I then set the PasswordChar property on the PasswordTextbox to "*". This indicates that the textbox should display this character instead of what the user types, but the value of the Text property will still be what the user enters.

(By the way, this example does NOT demonstrate a secure way of writing login forms. We'll be passing what the user enters directly into the database which stores the password in clear text. It is NOT safe practice to store clear text passwords in your database. I'll post a follow-up that talks about techniques we can use to protect users' passwords, especially if we need to store them in a database. For now, let's concentrate on how we add parameterized queries to our TableAdapters. UPDATE: Here's the follow up.)

Now at this point I build the project and in the WindowsApplication1 Components section at the top of the Toolbox I can now see the UsersDataset and the UsersTableAdapter listed (it's important that you build your project to get the components listed in the Toolbox). I drag the UsersTableAdapter onto the LoginForm which creates a component in the tray named UsersTableAdapter1.

So now that we've got that all set up, we're going to add a parameterized query to the UsersTableAdapter. First open up the UsersDataset and right-click on the TableAdapter in the designer and choose "Add Query".

This will open up the TableAdapter Query Configuration Wizard. First it asks you to choose a command type. Keep the default selected as "Use SQL Statement" and then click Next. Next it asks you to choose a query type. We're going to select the second option, to create a SELECT statement that returns a single value, not a result set.

Next we'll write the parameterized query as "SELECT COUNT(*) FROM Users WHERE UserName = @UserName AND Password = @Password". Then click Next and name the function "Login". This will create a TableAdapter method called Login that accepts a UserName and Password as a parameter and returns an Object which will be an Integer in our case since we're specifying to return the COUNT(*) of the rows that match the WHERE clause.

Now back to the LoginForm, we can double-click on the OK button to add a Click event handler.

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) _

    Handles Button1.Click



        If CType(Me.UsersTableAdapter1.Login(Me.UserNameTextBox.Text, _

                 Me.PasswordTextBox.Text), Integer) > 0 Then


            MsgBox("Welcome to my application!")


            MsgBox("Invalid username or password.")

        End If


    Catch ex As Exception


    End Try

End Sub

Now when we run this example and enter a user name and password that is contained in the database table Users, we get the greeting message otherwise we get the message that our user name or password is invalid.

As you can see it's really easy to add parameterized queries to your TableAdapters using the wizards. There's even a simple query builder you can use to help you write your queries and test them out before they are generated on the TableAdapter. In a follow up post I'll show you how to add secure password storage to your application using hashing and encryption.

Leave a Comment
  • Please add 7 and 6 and type the answer here:
  • Post
  • Thanks Beth.

    You're the best one.

  • Thanks from a noob....

    Your videos are great!  Make a thousand more.  After programming in unix for the last several years.  I feel like I have been in a desert  and suddenly came across a well of water.

  • Hi i need your help i have this error " Error 1 'login' no es un miembro de 'WindowsApplication1.UniversidadDataSetTableAdapters.usuariosTableAdapter'. C:\Documents and Settings\Käsar\Mis documentos\Visual Studio 2005\Projects\Cesar_University\Cesar_University\login.vb 5 22 Cesar_University"

    What is Login??????If CType(Me.UsuariosTableAdapter1.login(

  • Creating parameterized queries is one of the major countermeasures to SQL Injection attacks (not the

  • Hi Cesar,

    The Login method is generated on the TableAdapter when you name the function "Login" after you enter your parameterized query in the wizard.


  • In my first post on parameterized queries I built a simple login form that really was a contrived example

  • In my first post on parameterized queries I built a simple login form that really was a contrived example

  • I've been heads down this week (re)learning an older technology -- Visual Basic 6! With all the things

  • Beth Great Job!

    Help me!

    In your first video you creat a stored procedures.

    My VS 2005 don´t create in toolbox options for insert update and delete ?

    What is wrong?

    São Paulo - Brasil  whait your visit.

    Thank you!

  • Hi Edy,

    Stored procedures are not created automatically for you. I wrote the stored procedures for the video and put them as snippets in the toolbox. You can create code snippets by selecting text in the code editor and then dragging that onto the toolbox. Then you can use that snippet of code again by dragging from the toolbox into the editor.



  • I cannot locate WindowsApplication1 Components inthe ToolBox

    I am Using VB 2005 Professional

    THanks IN Advance

  • Hi Ahan,

    Make sure you build your project first.

    "(it's important that you build your project to get the components listed in the Toolbox)"


  • A small variation on your project, I would like the

    user to enter values into two text boxes and use them

    as range parameters in the dataset and return those records between the two values.  How would I do that?

  • Hi Perry,

    You can add as many parameters as you like to the query. Just like I showed above, when you add the @Parameter1 to the SQL query then it will pick it up as a parameter. If you are using Access (the OleDb client) then the parameter placeholder is a question mark (?). All you need to do is write the query that selects the range of values you want. For information on writing T-SQL queries check out SQL Server Books Online:



  • I am Lost.

    now after connecting My form to my DataBase, i can see an Application Components But it is connecting me to the data Base that i have created NOT the username/password.

Page 1 of 3 (39 items) 123