By Ubaid Ur Rahman


2018-06-25 08:37:28 8 Comments

My code is as follow
protected void Button1_Click(object sender, EventArgs e) { SqlConnection con = new SqlConnection(mycon);

     **strong text**

        string str = "insert into CustomerHistoryAD(customerId,checkNumber,bank,city,date,amount) values('" + tb_customerID.Text + "','" + tb_CheckNumber.Text + "','" + tb_bank.Text + "','" + tb_city.Text + "','" + tb_date.Text + "','" + tb_Amount.Text + "')";
    sqlq(str);
 lbl0.Text = " DataSaved Successfully ";
 tb_Notification.Text = "Record of Customer ID '"+tb_customerID.Text+"' is Submitted";


}
protected void Button2_Click(object sender, EventArgs e)
{

    string query = "insert into notification(message) values('" + tb_Notification.Text+ "')";
    String mycon = "Data Source=DESKTOP-79IQ2D8; Initial Catalog=ForexMedia; Integrated Security=true";
    SqlConnection con = new SqlConnection(mycon);
    con.Open();
    SqlCommand cmd = new SqlCommand();
    cmd.CommandText = query;
    cmd.Connection = con;
    cmd.ExecuteNonQuery();
    Label3.Text = "Notification Sent";
    tb_Notification.Text = "";
}

1 comments

@Amit Joshi 2018-06-25 08:41:37

There must be a problem in one of your input parameters those you are directly reading from controls.

This is not recommended anyway due to SQL injection attack threat.

If you change your queries to us parameters (parameter queries), I hope this issue will be resolved.

Following is an example how to use parameters. Note that I am not using your code in example:

SqlCommand objSqlCommand = null;
strSQL = @"INSERT INTO ... (Field1, ...)
                    VALUES 
                    (@param1, ...)";
objSqlCommand = new SqlCommand(strSQL);
objSqlCommand.Parameters.Clear();
objSqlCommand.Parameters.AddWithValue("@param1", yourControl.Text);
....
....
objSqlCommand.ExecuteNonQuery();
objSqlCommand.Dispose();

You should further improve this code by including using block or proper try/catch blocks.

This way, if there is any SQL query sensitive character in your input, it will be handled correctly and issue will be resolved. This is also strongly recommended to save yourself from SQL Injection Attack.

Related Questions

Sponsored Content

7 Answered Questions

[SOLVED] Manually raising (throwing) an exception in Python

  • 2010-01-12 21:07:40
  • TIMEX
  • 1517804 View
  • 1967 Score
  • 7 Answer
  • Tags:   python exception

28 Answered Questions

[SOLVED] Catch multiple exceptions at once?

33 Answered Questions

[SOLVED] How do you assert that a certain exception is thrown in JUnit 4 tests?

9 Answered Questions

[SOLVED] Proper way to declare custom exceptions in modern Python?

4 Answered Questions

[SOLVED] ASP.Net insert data from Textbox to a database

5 Answered Questions

[SOLVED] Catch multiple exceptions in one line (except block)

1 Answered Questions

rows in sql server db being deleted once I click update. the id is only filed that has data

  • 2015-05-11 17:41:01
  • Norris Chappell
  • 85 View
  • 0 Score
  • 1 Answer
  • Tags:   c#

3 Answered Questions

exception in the connectivity code

  • 2011-04-24 13:26:34
  • vatspoo
  • 87 View
  • 1 Score
  • 3 Answer
  • Tags:   asp.net

3 Answered Questions

[SOLVED] saving and comparing passwords to database as binary using md5

  • 2010-11-11 18:19:40
  • shihab
  • 7102 View
  • 1 Score
  • 3 Answer
  • Tags:   c# sql-server md5

Sponsored Content