sql query
-
i am using sql server along with C# i want to use both string and integer values in one query and i am writing this query below return "Insert INTO "+tableName+" (id,name,client,expstartdate,expenddate,cost,description)Values('+createpro.propertyPId+','"+createpro.propertyPname+"','"+createpro.propertyClient+"','"+createpro.propertyExpStDate+"','"+createpro.propertyExpEndDate+"','+createpro.propertycost+','"+createpro.propertydescription"')"; but this query giving an error, is this query is right for the solution of my problem; if not then give me the solution muhammad mahmood ilyas
-
i am using sql server along with C# i want to use both string and integer values in one query and i am writing this query below return "Insert INTO "+tableName+" (id,name,client,expstartdate,expenddate,cost,description)Values('+createpro.propertyPId+','"+createpro.propertyPname+"','"+createpro.propertyClient+"','"+createpro.propertyExpStDate+"','"+createpro.propertyExpEndDate+"','+createpro.propertycost+','"+createpro.propertydescription"')"; but this query giving an error, is this query is right for the solution of my problem; if not then give me the solution muhammad mahmood ilyas
put your query string in a local variable and display it. you will see that there are missing quotes. it looks like you mixed quote and apostrophe up. try this (untested; im not sure about the date format): "Insert INTO " + tableName + " ( id, name, client, expstartdate, expenddate, cost, description) Values( " + createpro.propertyPId + ", " + "'" + createpro.propertyPname + "', " + createpro.propertyClient + ", " + "'" + createpro.propertyExpStDate + "', " + "'" + createpro.propertyExpEndDate+ "', " + "'" + createpro.propertycost + "', " + "'" + createpro.propertydescription + "'" + ")"
-
i am using sql server along with C# i want to use both string and integer values in one query and i am writing this query below return "Insert INTO "+tableName+" (id,name,client,expstartdate,expenddate,cost,description)Values('+createpro.propertyPId+','"+createpro.propertyPname+"','"+createpro.propertyClient+"','"+createpro.propertyExpStDate+"','"+createpro.propertyExpEndDate+"','+createpro.propertycost+','"+createpro.propertydescription"')"; but this query giving an error, is this query is right for the solution of my problem; if not then give me the solution muhammad mahmood ilyas
Your code is highly susceptable to SQL Injection Attacks - resolving the security problems will also resolve your other problems. See SQL Injection Attacks and Tips on How To Prevent Them[^]
Scottish Developers events: * .NET debugging, tracing and instrumentation by Duncan Edwards Jones and Code Coverage in .NET by Craig Murphy * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog
-
i am using sql server along with C# i want to use both string and integer values in one query and i am writing this query below return "Insert INTO "+tableName+" (id,name,client,expstartdate,expenddate,cost,description)Values('+createpro.propertyPId+','"+createpro.propertyPname+"','"+createpro.propertyClient+"','"+createpro.propertyExpStDate+"','"+createpro.propertyExpEndDate+"','+createpro.propertycost+','"+createpro.propertydescription"')"; but this query giving an error, is this query is right for the solution of my problem; if not then give me the solution muhammad mahmood ilyas
hi try this one:- "Insert INTO "+tableName+" (id,name,client,expstartdate,expenddate,cost,description)Values('+createpro.propertyPId+',' "+createpro.propertyPname+" ',' "+createpro.propertyClient+" ',' "+createpro.propertyExpStDate+" ',' "+createpro.propertyExpEndDate+" ','+createpro.propertycost+',' "+createpro.propertydescription" ')"; :-O
-
hi try this one:- "Insert INTO "+tableName+" (id,name,client,expstartdate,expenddate,cost,description)Values('+createpro.propertyPId+',' "+createpro.propertyPname+" ',' "+createpro.propertyClient+" ',' "+createpro.propertyExpStDate+" ',' "+createpro.propertyExpEndDate+" ','+createpro.propertycost+',' "+createpro.propertydescription" ')"; :-O
What is it with people today - Just about every SQL question has been answered with something that simply invites an attacker into the system. In some cases warmly shaking the hand of the attacker as well while saying "Just take everythng you want" Securing a database against SQL Injection attacks is so unbelievably easy, yet no one today seems to care: SQL Injection Attacks and Tips on How to Prevent Them[^]
Scottish Developers events: * .NET debugging, tracing and instrumentation by Duncan Edwards Jones and Code Coverage in .NET by Craig Murphy * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog
-
What is it with people today - Just about every SQL question has been answered with something that simply invites an attacker into the system. In some cases warmly shaking the hand of the attacker as well while saying "Just take everythng you want" Securing a database against SQL Injection attacks is so unbelievably easy, yet no one today seems to care: SQL Injection Attacks and Tips on How to Prevent Them[^]
Scottish Developers events: * .NET debugging, tracing and instrumentation by Duncan Edwards Jones and Code Coverage in .NET by Craig Murphy * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog
thank you every one for taking interest in my query muhammad mahmood ilyas