Quote:
SqlCommand sqlcmd = new SqlCommand("INSERT INTO YETBCountor (YETBType) VALUES ('" + UT + "')", conn);
Don't do it like that!
Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation/interpolation to build a SQL query.
ALWAYS use a parameterized query.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]
And it just so happens that by fixing this critical security vulnerability in your code, you will
also fix your encoding problem as a free bonus. Instead of concatenating your text into your SQL command as a non-Unicode literal, you will pass it through as a Unicode parameter. So long as your table column is defined as
nvarchar(...)
instead of
varchar(...)
, your Arabic text will be stored and retrieved correctly.
using (SqlCommand sqlcmd = new SqlCommand("INSERT INTO YETBCountor (YETBType) VALUES (@YETBType)", conn))
{
sqlcmd.Parameters.AddWithValue("@YETBType", UT);
sqlcmd.ExecuteNonQuery();
}