the insert command doesnt work

sara setare

Hi all I have a problem with database.I work on " add new user.aspx "file witch add a new user to the table(Authenticate)but it doesnt work! this is my code in add new user.aspx file:

<script runat="server">
protected void CreateUserWizard1_CreatedUser(object sender, EventArgs e)
{
System.Data.SqlClient.SqlConnection con = new System.Data.SqlClient.SqlConnection();
string connectionstr=@"Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\EHSAN\Documents\Visual Studio 2010\Projects\The Club\The Club\App_Data\Database1.mdf;Integrated Security=True;User Instance=True";
con.ConnectionString=connectionstr;
string sqlstring;
sqlstring ="insert into Authenticate (username,password)VALUES ("+ CreateUserWizard1.UserName+","+CreateUserWizard1.Password+")";
System.Data.SqlClient.SqlCommand objcommand = new System.Data.SqlClient.SqlCommand(sqlstring, con);
Response.Redirect("~/Login.aspx");
}
</script>

I execute that but it doesnt add any new row to my table!!!! plz help me!

PIEBALDconsult

I suspect you need to put apostrophes around the values, but the better (much much better) solution is to use a parameterized command.

sara setare

thank you so much but I dont know how should I use parameter!for example I have the CreateUserWizard1.UserName variable but I dont know how should use it as parameter! can you say me how should I do it?

Pallavi Waikar

ur missing objcommand.ExecuteNonQuery(); and parenthesis in code try this one

<script runat="server">
protected void CreateUserWizard1_CreatedUser(object sender, EventArgs e)
{
System.Data.SqlClient.SqlConnection con = new System.Data.SqlClient.SqlConnection();
string connectionstr=@"Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\EHSAN\Documents\Visual Studio 2010\Projects\The Club\The Club\App_Data\Database1.mdf;Integrated Security=True;User Instance=True";
con.ConnectionString=connectionstr;
string sqlstring;
sqlstring ="insert into Authenticate (username,password)VALUES ('"+ CreateUserWizard1.UserName+"','"+CreateUserWizard1.Password+"')";
System.Data.SqlClient.SqlCommand objcommand = new System.Data.SqlClient.SqlCommand(sqlstring, con);
Con.Open();
objcommand.ExecuteNonQuery();
Con.Close();
Response.Redirect("~/Login.aspx");
}
</script>
<asp:Content ID="Content1" ContentPlaceHolderID="cphMain" Runat="server">
<asp:CreateUserWizard ID="CreateUserWizard1" Runat="server"
oncreateduser="CreateUserWizard1_CreatedUser">
</asp:CreateUserWizard>
</asp:Content>

sara setare

thank you so much,it works I had 2 mistake: 1:in insert command 2:in execute command thank you so much again

Richard Deeming

Avoiding SQL Injection[^] isn't hard:

protected void CreateUserWizard1_CreatedUser(object sender, EventArgs e)
{
const string connectionstr = @"...";
const string sqlstring = "insert into Authenticate (username, password) VALUES (@username, @password)";

using (var con = new System.Data.SqlClient.SqlConnection(connectionstr))
using (var objcommand = new System.Data.SqlClient.SqlCommand(sqlstring, con))
{
    objcommand.Parameters.AddWithValue("@username", CreateUserWizard1.UserName);
    objcommand.Parameters.AddWithValue("@password", CreateUserWizard1.Password);
    
    con.Open();
    objcommand.ExecuteNonQuery();
}

Response.Redirect("~/Login.aspx");

}

Once you've fixed that problem, you then need to reconsider how you're storing the passwords. Currently, you're storing them as plain text, which is a terrible idea. If anyone managed to gain access to your database, they would be able to see every password used on your site. Instead, you should be storing a salted hash of the passwords: http://crackstation.net/hashing-security.htm[^]

---

"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer

Richard Deeming

This version is still susceptible to SQL Injection[^]. For example, try a password of:

Robert');DROP TABLE Authenticate;--

---

"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer