how to correct this statement in the given code below : cmd.ExecuteNonQuery();

Question

1.00/5 (1 vote)

See more:

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;

public partial class uploadProject : System.Web.UI.Page
{
    connection con = new connection();
    protected void Page_Load(object sender, EventArgs e)
    {
        fillid();
    }
    public void fillid()
    {
        con.open_connection();
        string str = "select * from celeb order by ID";
        SqlCommand cmd = new SqlCommand(str, con.con_pass());
        SqlDataReader dr = cmd.ExecuteReader();
        int i = 0;
        while (dr.Read())
        {
            int a = 0;
            a = Convert.ToInt32(dr["ID"].ToString());
            ViewState["sid"] = a.ToString();
            i = i + 1;
        }
        if (i > 0)
        {
            int a = Convert.ToInt32(ViewState["sid"].ToString());
            a = a + 1;
            TextBox1.Text = a.ToString();
        }
        else
            TextBox1.Text = "1";
        con.close_connection();
    }
    protected void Button2_Click(object sender, EventArgs e)
    {
        if (FileUpload1.HasFile)
        {
            try
            {
                string filename = System.IO.Path.GetFileName(FileUpload1.FileName);
                FileUpload1.SaveAs(Server.MapPath("~/uploadImage/") + filename);
               // Console.Write(filename);
                Image1.ImageUrl = "~/uploadImage/" + filename;
                Image1.Visible = true;
                // TextBox9.Text = Image1.ImageUrl;
                FileUpload1.Visible = false;
                Button2.Visible = false;
            }
            catch (Exception ex)
            {
                //StatusLabel.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
            }
        }
    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        con.open_connection();
        string str = "insert into celeb values('" + TextBox1.Text + "','" + TextBox4.Text + "','" + TextBox3.Text + "','" + Image1.ImageUrl + "','" + System.DateTime.Now.ToString() + "')";
        SqlCommand cmd = new SqlCommand(str, con.con_pass());
         cmd.ExecuteNonQuery(); 
        con.close_connection();
    }
}

Posted 4-May-15 23:16pm

Member 11665248

Updated 4-May-15 23:25pm

Tomas Takac

v2

Add a Solution

Comments

Karthik_Mahalingam 5-May-15 5:24am

pass the connection string.

Mehdi Gholam 5-May-15 5:24am

...and what is wrong?

Tomas Takac 5-May-15 5:25am

What's the error message?

F-ES Sitecore 5-May-15 5:34am

Google "using parameterised queries aso.net" and follow some examples. If you are getting an error then you have to state what the error is as that will point to the actual issue.

http://www.codeproject.com/Messages/1278599/How-to-get-an-answer-to-your-question.aspx

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2015-05-04T23:30:00

Not like that.
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Particularly with a web based solution, where anyone can destroy your database from the other side of the world...

And it's a very, very good idea to list the columns you want to insert values into - if you don't then SQL will try to insert them in the order they are currently defined in the database - it won't try to intelligently match them up. So if you have an ID column first (and most tables do) SQL will try to insert the first value into that...

C#

string str = "INSERT INTO celeb (Column1Name, Column2Name, Column3Name, Coulmn4Name, Column5Name) VALUES (@C1, @C2, @C3, @C4, @C5)";
SqlCommand cmd = new SqlCommand(str, con.con_pass());
cmd.Parameters.AddWithValue("@C1", TextBox1.Text);
cmd.Parameters.AddWithValue("@C2", TextBox4.Text);
...
cmd.ExecuteNonQuery();

You can use "sensible names" instead of "C1", "C2" and so forth to make your code more readable.

Chances are that this will also fix your problem.

BTW: Do yourself a favour, and stop using Visual Studio default names for everything - you may remember that "TextBox8" is the mobile number today, but when you have to modify it is three weeks time, will you then? Use descriptive names - "tbMobileNo" for example - and your code becomes easier to read, more self documenting, easier to maintain - and surprisingly quicker to code because Intellisense can get to to "tbMobile" in three keystrokes, where "TextBox8" takes thinking about and 8 keystrokes...