Use parameters to remove the
SQL Injection[
^] vulnerability from your code.
You also can't reference a field by name when the query doesn't specify a name for the field.
dbcmd.CommandText = "SELECT SUM(WOBOM_AMATCST) FROM WOBOM WHERE WOBOM_WOPRE = @wopre AND WOBOM_WOSUF = @wosuf"
dbcmd.Parameters.AddWithValue("@wopre", wopre)
dbcmd.Parameters.AddWithValue("@wosuf", wosuf)
dbcmd.Connection = nconn
dbReader = dbcmd.ExecuteReader()
While (dbReader.Read)
MatlCost = MatlCost + dbReader(0)
End While
NB: Don't store connection, command, and data reader objects in class-level fields. Instead, create them when needed, and wrap them in
Using
blocks to ensure they're properly disposed of when you've finished with them.
Using Statement - Visual Basic | Microsoft Docs[
^]