Start by fixing the
SQL Injection[
^] vulnerability in your
Page_Load
code:
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["Camt_LibraryConnectionString"].ConnectionString))
using (SqlCommand com = new SqlCommand("select count(*) from tbl_member where pre_name = @pre_name", conn))
{
com.Parameters.AddWithValue("@pre_name", ddPreN.Text);
conn.Open();
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
if (temp != 0)
{
Response.Write("User already Exists");
}
}
}
}
Then, in your
Button1_Click
method, check the value you are passing to the
@MemberTy
parameter. You are passing
ddMember_Type.SelectedItem
, which is a
System.Web.UI.WebControls.ListItem
object. You need to pass its
Value
instead:
protected void Button1_Click(object sender, EventArgs e)
{
const string InsertQuery = @"insert into tbl_member (pre_name, name, member_type_id, dept_id, student_id, address, phone, mobile, create_date, expire_date, image,debt) values (@Pname, @Name, @MemberTy, @Dept, @StudentID, @Adderss, @Phone, @Mobile, @Cdate, @Edate, @Image, @Debt)";
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["Camt_LibraryConnectionString"].ConnectionString))
using (SqlCommand com = new SqlCommand(InsertQuery, conn))
{
com.Parameters.AddWithValue("@Pname", ddPreN.SelectedItem.Value);
com.Parameters.AddWithValue("@Name", TextBoxName.Text);
com.Parameters.AddWithValue("@MemberTy", ddMember_Type.SelectedItem.Value);
com.Parameters.AddWithValue("@Dept", ddDept.SelectedItem.Value);
com.Parameters.AddWithValue("@StudentID", TextBoxStudenID.Text);
com.Parameters.AddWithValue("@Adderss", TextBoxAddress.Text);
com.Parameters.AddWithValue("@Phone", TextBoxcall.Text);
com.Parameters.AddWithValue("@Mobile", TextBoxMobie.Text);
com.Parameters.AddWithValue("@Cdate", DatePicker1.DateFormat);
com.Parameters.AddWithValue("@Edate", DatePicker2.DateFormat);
com.Parameters.AddWithValue("@Image", File_UploadImage.FileName);
com.Parameters.AddWithValue("@Debt", TextBoxDebt.Text);
conn.Open();
com.ExecuteNonQuery();
}
string imagePath = Server.MapPath("~/Uploads/");
string fileName = System.IO.Path.GetFileName(File_UploadImage.FileName);
string filePath = System.IO.Path.Combine(imagePath, fileName);
File_UploadImage.SaveAs(filePath);
Response.Write("Reqisteration is submit");
}
You also need to check the value of your
@Cdate
and
@Edate
parameters - currently, you're passing the date format string, rather than the selected date.
I've also fixed your image saving code to use an app-relative path, rather than hard-coding the project path, and to remove any directory information from the uploaded file-name.
You'll also want to avoid sending the complete details of any exception to the client. This can often expose internal information which can be used by hackers to attack your site. The built-in ASP.NET error handlers do a pretty good job of hiding this information from remote users by default.