Click here to Skip to main content
11,929,249 members (62,469 online)
Rate this:
Please Sign up or sign in to vote.
See more: C#
I'm excuting following code

OdbcConnection con;
            OdbcCommand cmd;
            con = new OdbcConnection(@"Dsn=chaitudi;dbq=C:\project\Distributor.accdb;driverid=25;fil=MS Access;maxbuffersize=2048;pagetimeout=5;uid=admin");
            cmd = new OdbcCommand("insert into Company(ID,CompanyName,StreetName,City,ZipCode,State,TelePhone) values('" +textBox12.Text + "','" + textBox4.Text + "','" + textBox5.Text + "','" + textBox6.Text + "','" + textBox7.Text + "','" + textBox8.Text + "','" + textBox10.Text + "')", con);
            MessageBox.Show("Stroed Successfully");

Bt getting the error "Numeric value out of range"...
plz help me...
thanx in advance
Posted 1-Mar-13 6:19am
Edited 1-Mar-13 6:21am
richcb 1-Mar-13 11:22am
First off, your setting yourself up for sql injection that could destroy your database. You should really consider using parameterized queries. Second, what line is the code throwing an exception?
Agree. The question is nearly the same as OP's previous one, please see. OP needs to learn how to learn lessons from questions/answers, before asking another one. :-)
Mike Meinz 1-Mar-13 11:51am
What if one of your user enters data in a textbox that is larger than or doesn't match the datatype of the associated database column?
* Error on execution of the INSERT - You need to validate user input

What if one of your users puts SQL statements to delete your database in one of the textboxes?
* SQL Injection Attack - You need to use parameters rather than concatenated strings

What if one of your users enters data in a textbox that contains an apostrophe?
* Error on execution of the INSERT - You need to replace single apostrophe with double apostrophe in any string columns.

Avoid run-time errors by coding to prevent user data entry errors!

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Since the only numbers in there are trivial: "25" and "2048" it has to be the values you are trying to insert from your textboxes. So start by checking them against the datatypes in your database.

But don't do it that way! Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

Also, you should be disposing your connections and commands - they are scarse commodities, so they should not be kept longer than you need to.

Oh, and stop using the VS default names for controls: you may remember today that "textbox12" holds the user ID, but you won't in a coupe of weeks time when you need to maintain this. Call them somethign sensible: it makes your code easier to read, understand and maintain. It is also quicker to type, since intelisense can sort them out quicker for you...

using (OdbcConnection con = new ODbcConnection(strConnect))
    using (OdbcCommand com = new OdbcCommand("INSERT INTO Company (ID,CompanyName) VALUES (@UID, @CON)", con))
        com.Parameters.AddWithValue("@UID", tbUserID.Text);
        com.Parameters.AddWithValue("@CON", tbCompanyName.Text);

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Mobile
Web01 | 2.8.151126.1 | Last Updated 1 Mar 2013
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100