Congratulations - you've just introduced
a serious security vulnerability[
^] into your code! :doh:
Parameterized queries aren't difficult. They will fix this security vulnerability. And they will most likely fix the error you're seeing as well.
Dim connectionString As String = ConfigurationManager.ConnectionStrings("YourConnectionStringName").ConnectionString
Dim commandText As String = "UPDATE YourTableName SET IDNo = @IDNo, Comments = @Comments WHERE IDNo Like @OriginalIDNo + '%'"
Using connection As New SqlConnection(connectionString)
Using command As New SqlCommand(commandText, connection)
command.CommandType = CommandType.Text
command.Parameters.AddWithValue("@IDNo", IDNoTextBox.Text)
command.Parameters.AddWithValue("@Comments", CommentsTextBox.Text);
command.Parameters.AddWithValue("@OriginalIDNo", TextBox1.Text);
connection.Open()
command.ExecuteNonQuery()
End Using
End Using