Not able to insert my data into sql db. Getting that annoying null error!

Norris Chappell

I'm having an issue with my C# code. I m trying to insert data into my database from a form, unfortunately I keep getting issues with Object reference not set to an instance of an object. Here s the code:

aspx

Richard Deeming

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

protected void InsertButton_Click(object sender, EventArgs e)
{
const string Query = "INSERT INTO StaffTracking (Project, Tower, [Functional Area], ResourceName, CATWResourceName, Org, IndicateifBillingFP, IndicateifBillingTM, DefaultFTE, Active, PersonnelResourceType) VALUES (@Project, @Tower, @FunctionalArea, @ResourceName, @CATWResourceName, @Org, @IndicateifBillingFP, @IndicateifBillingTM, @DefaultFTE, @Active, @PersonnelResourceType)";

using (SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings\["YourConnectionString"\].ConnectionString))
using (SqlCommand command = new SqlCommand(Query, connection))
{
    connection.Open();

    foreach (GridViewRow row in gvNEW.Rows)
    {
        command.Parameters.AddWithValue("@Project", ((TextBox)row.FindControl("txtProject")).Text);
        command.Parameters.AddWithValue("@Tower", ((TextBox)row.FindControl("txtTower")).Text);
        command.Parameters.AddWithValue("@FunctionalArea", ((TextBox)row.FindControl("txtFunctional Area")).Text);
        command.Parameters.AddWithValue("@ResourceName", ((TextBox)row.FindControl("txtResourceName")).Text);
        command.Parameters.AddWithValue("@CATWResourceName", ((TextBox)row.FindControl("txtCATWResourceName")).Text);
        command.Parameters.AddWithValue("@Org", ((TextBox)row.FindControl("TxtOrg")).Text);
        command.Parameters.AddWithValue("@IndicateifBillingFP", ((TextBox)row.FindControl("txtIndicateifBillingFP")).Text);
        command.Parameters.AddWithValue("@IndicateifBillingTM", ((TextBox)row.FindControl("txtIndicateifBillingTM")).Text);
        command.Parameters.AddWithValue("@DefaultFTE", ((TextBox)row.FindControl("txtDefaultFTE")).Text);
        command.Parameters.AddWithValue("@Active", ((TextBox)row.FindControl("txtActive")).Text);
        command.Parameters.AddWithValue("@PersonnelResourceType",

Sascha Lefevre

Hey Norris, please, for the love of cheese, first change your INSERT-statement to use Sql-Parameters, like I suggested you to do categorically in response to your first(?) post here. Simple example here: http://www.dotnetperls.com/sqlparameter[^] - it prevents SQL-injection - it makes your code more readable - for you and us - it can prevent certain errors or make them easier to find After you've done that there's a good chance the exception message will point to to the exact line so you'll see for yourself where the error is - otherwise please come back and post the reworked code and indicate the line at which the exception occurs. You could also change it to instantiating the connection locally and using the connection and command object in using-blocks. cheers, Sascha

If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson

Norris Chappell

That worked! Thanks Richard and Sascha. I will parameterized all of my code going forward. I did get an error for this field: command.Parameters.AddWithValue("@DefaultFTE", ((TextBox)row.FindControl("txtDefaultFTE")).Text); Because this field is decimal(8,3) and not nvarchar. Not a problem I was able to handle it. One final question to all? Is there a way to fire off one method which in turn fire off another one? I'm doing an import and submit. I want the import to do the submit. O Can I include the SubmitButton_click code in the ImportButton_click code?

Sascha Lefevre

Norris Chappell wrote:

Is there a way to fire off one method which in turn fire off another one? I'm doing an import and submit. I want the import to do the submit. O Can I include the SubmitButton_click code in the ImportButton_click code?

Whenever you realize a requirement like this (needing the code that currently is "dedicated" to a certain place/event (SubmitButton_click) also in other situations) you should factor that code out into a separate method that can be used universally and gets all required inputs via arguments. Then you can call it from ImportButton_click and SubmitButton_click. No duplicate code and no weird codepaths (like calling SubmitButton_click from ImportButton_click).

If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson

Norris Chappell

Sascha, Thanks again! I was able to figure my last question out. Regards, Norris

Sascha Lefevre

You're welcome! :)

If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson