For starters you have a multitude of problems in your SQL block
Line 1 is vulnerable to
SQL Injection
.
Line 2 is also vulnerable
Line 3 is not needed and increases memory usage
Line 5 has a syntax error- should be
count = Convert.ToInt16(cmd.ExecuteScalar())
Dim sql1 As String = "select count(regd_no) from class_table where class ='" + Str1 + "'"
Dim sql As String = "select regd_no from class_table where class ='" + Str1 + "'"
cmd1 = New SqlCommand(sql, conn)
cmd = New SqlCommand(sql1, conn)
count = Convert.ToInt16(cmd.ExecuteScalar)
dr = cmd1.ExecuteReader()
NEVER EVER build an SQL query by concatenating commands with variables
This is how I would write this; using
Parameters to get rid of the vulnerability, fix the syntax error, and reuse the
cmd
object by simply changing the CommandText and keeping the existing parameter
Dim sql1 As String = "SELECT count(regd_no) FROM class_table WHERE class = @Str1"
Dim sql As String = "SELECT regd_no FROM class_table WHERE class = @Str1"
cmd = New SqlCommand(sql1, conn)
cmd.Parameters.AddWithValue("@Str1", Str1)
count = Convert.ToInt16(cmd.ExecuteScalar())
cmd.CommandText = sql
dr = cmd.ExecuteReader()