sql server insert
-
I have a TexBox and it's value stored in a database. but whwe the entered value like ' , ' or ' ; ' there is some error occurred ,so how I can solve this problem.
that should not happen. assuming your DB field is nvarchar, it should be able to hold whatever text you enter. what is your database? are you using SQLParameter? maybe best show us your relevant code. :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles]
I only read formatted code with indentation, so please use PRE tags for code snippets.
I'm not participating in frackin' Q&A, so if you want my opinion, ask away in a real forum (or on my profile page).
-
that should not happen. assuming your DB field is nvarchar, it should be able to hold whatever text you enter. what is your database? are you using SQLParameter? maybe best show us your relevant code. :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles]
I only read formatted code with indentation, so please use PRE tags for code snippets.
I'm not participating in frackin' Q&A, so if you want my opinion, ask away in a real forum (or on my profile page).
OK,
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["AdNetConnectionString"].ToString();Session\["CampaignName"\]= TexBox1.Text.ToString(); string sql; sql = "insert into AdCampaign (CampaignName)values( ' " + Session\["CampaignName"\] + " '); SqlCommand cmd = new SqlCommand(sql, con); con.Open(); cmd.ExecuteNonQuery(); con.Close(); } -
OK,
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["AdNetConnectionString"].ToString();Session\["CampaignName"\]= TexBox1.Text.ToString(); string sql; sql = "insert into AdCampaign (CampaignName)values( ' " + Session\["CampaignName"\] + " '); SqlCommand cmd = new SqlCommand(sql, con); con.Open(); cmd.ExecuteNonQuery(); con.Close(); }I still don't know what your database is. I see you are not using SQLParameter; it would almost certainly solve your problem. Read up on it, and use it; it will keep a lot of problems away, SQL injection vulnerability being one of them. I would not move the data from the textbox through the session array into the SQL command; no need for such a detour. No need for ToString() either, the content of a TextBox is always a string. :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles]
I only read formatted code with indentation, so please use PRE tags for code snippets.
I'm not participating in frackin' Q&A, so if you want my opinion, ask away in a real forum (or on my profile page).
-
OK,
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = ConfigurationManager.ConnectionStrings["AdNetConnectionString"].ToString();Session\["CampaignName"\]= TexBox1.Text.ToString(); string sql; sql = "insert into AdCampaign (CampaignName)values( ' " + Session\["CampaignName"\] + " '); SqlCommand cmd = new SqlCommand(sql, con); con.Open(); cmd.ExecuteNonQuery(); con.Close(); }How to use a parameterized query, using your code as an example:
sql = "insert into AdCampaign (CampaignName) values(@myParameter)";
SqlCommand cmd = new SqlCommand(sql, con);
cmd.Parameters.AddWithValue("myParameter", Session["CampaignName"]);I.e. in your sql statement, no values are shown, but only the parameters; with SQL Server, parameter names use to start with an @. After having created the command object, you add all of your parameters with their respective values.
-
I have a TexBox and it's value stored in a database. but whwe the entered value like ' , ' or ' ; ' there is some error occurred ,so how I can solve this problem.
I always prefer of using storedProcedure with I/O parama instant of hard coded sql statement.
Thanks Md. Marufuzzaman
I will not say I have failed 1000 times; I will say that I have discovered 1000 ways that can cause failure – Thomas Edison.
-
How to use a parameterized query, using your code as an example:
sql = "insert into AdCampaign (CampaignName) values(@myParameter)";
SqlCommand cmd = new SqlCommand(sql, con);
cmd.Parameters.AddWithValue("myParameter", Session["CampaignName"]);I.e. in your sql statement, no values are shown, but only the parameters; with SQL Server, parameter names use to start with an @. After having created the command object, you add all of your parameters with their respective values.
ok , my code is:
sql_Store_Sessions = "insert into AdCampaign (AccountID,AdType,SiteCategory,Language,Gender,Age,Keyword,MaxBudget,DailyBudget,CampaignName,AdHeadline,AdText,DisplayUrl,TargetUrl,BannerImg,ImgName,Date,Status)values(" + Session["SelectIdFromTableAccount"] + ",'" + Session["adType"] + "','" + Session["Category"] + "','" + Session["Language"] + "','" + Session["Gender"] + "','" + Session["Age"] + "',@AdvKeyword," + Session["MaxBudget"] + "," + Session["Daily_Budget"] + ",@CampaignName,@AdHeadLine,@AdText,@DisplayUrl,@DestinationUrl,@Banner_Img,@Img_Name,'" + DateTime.Now + "','Paused')";
SqlCommand cmd_Store_Sessions = new SqlCommand(sql_Store_Sessions, con);
cmd_Store_Sessions.Parameters.AddWithValue("CampaignName", Session["CampaignName"]);
cmd_Store_Sessions.Parameters.AddWithValue("AdHeadLine", Session["AdHeadLine"]);
cmd_Store_Sessions.Parameters.AddWithValue("AdText", Session["AdText"]);
cmd_Store_Sessions.Parameters.AddWithValue("DisplayUrl", Session["DisplayUrl"]);
cmd_Store_Sessions.Parameters.AddWithValue("DestinationUrl", Session["DestinationUrl"]);
cmd_Store_Sessions.Parameters.AddWithValue("Banner_Img", Session["Banner_Img"]);
cmd_Store_Sessions.Parameters.AddWithValue("Img_Name", Session["Img_Name"]);con.Open(); cmd\_Store\_Sessions.ExecuteNonQuery(); con.Close();but there is an error : The parameterized query '(@AdvKeyword nvarchar(2),@CampaignName nvarchar(2),@AdHeadLine n' expects the parameter '@Banner_Img', which was not supplied
-
ok , my code is:
sql_Store_Sessions = "insert into AdCampaign (AccountID,AdType,SiteCategory,Language,Gender,Age,Keyword,MaxBudget,DailyBudget,CampaignName,AdHeadline,AdText,DisplayUrl,TargetUrl,BannerImg,ImgName,Date,Status)values(" + Session["SelectIdFromTableAccount"] + ",'" + Session["adType"] + "','" + Session["Category"] + "','" + Session["Language"] + "','" + Session["Gender"] + "','" + Session["Age"] + "',@AdvKeyword," + Session["MaxBudget"] + "," + Session["Daily_Budget"] + ",@CampaignName,@AdHeadLine,@AdText,@DisplayUrl,@DestinationUrl,@Banner_Img,@Img_Name,'" + DateTime.Now + "','Paused')";
SqlCommand cmd_Store_Sessions = new SqlCommand(sql_Store_Sessions, con);
cmd_Store_Sessions.Parameters.AddWithValue("CampaignName", Session["CampaignName"]);
cmd_Store_Sessions.Parameters.AddWithValue("AdHeadLine", Session["AdHeadLine"]);
cmd_Store_Sessions.Parameters.AddWithValue("AdText", Session["AdText"]);
cmd_Store_Sessions.Parameters.AddWithValue("DisplayUrl", Session["DisplayUrl"]);
cmd_Store_Sessions.Parameters.AddWithValue("DestinationUrl", Session["DestinationUrl"]);
cmd_Store_Sessions.Parameters.AddWithValue("Banner_Img", Session["Banner_Img"]);
cmd_Store_Sessions.Parameters.AddWithValue("Img_Name", Session["Img_Name"]);con.Open(); cmd\_Store\_Sessions.ExecuteNonQuery(); con.Close();but there is an error : The parameterized query '(@AdvKeyword nvarchar(2),@CampaignName nvarchar(2),@AdHeadLine n' expects the parameter '@Banner_Img', which was not supplied
-
I think that happens when the value is null. C# null and database null are different. If you want to insert a null into the database you need to use DBNull.Value.
isn't that yet another reason for using SQLParameter? :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles]
I only read formatted code with indentation, so please use PRE tags for code snippets.
I'm not participating in frackin' Q&A, so if you want my opinion, ask away in a real forum (or on my profile page).
-
isn't that yet another reason for using SQLParameter? :)
Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles]
I only read formatted code with indentation, so please use PRE tags for code snippets.
I'm not participating in frackin' Q&A, so if you want my opinion, ask away in a real forum (or on my profile page).