Click here to Skip to main content
13,511,516 members
Rate this:
Please Sign up or sign in to vote.
See more:
public partial class Home : System.Web.UI.Page
   SqlConnection con = new SqlConnection("Data Source=LENOVO-PC\\SQLEXPRESS;Initial Catalog=employee;Integrated Security=True");
   protected void Page_Load(object sender, EventArgs e){}
   protected void Button1_Click(object sender, EventArgs e)
      string s = "insert into employee values('" + TextBox1.Text + "', '" + TextBox2.Text + "', " + " '" + TextBox3.Text + "') ";
      SqlCommand comm = new SqlCommand(s, con);
Posted 25-Jan-13 3:33am
Updated 25-Jan-13 4:29am
Member 9581488 25-Jan-13 9:40am
what is the error??
PIEBALDconsult 25-Jan-13 10:06am
Please put all the database access code in its own class -- a Data Access Layer -- rather than in your form class.
Please use parameters rather than using concatenation to form the statement.
Please use try/finally for ExecuteNonQuery and Close.
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

The SqlCommand calling the ExecuteNonQuery() method only has 1 "m" while you declared it with 2.

com.ExecuteNonQuery() should be comm.ExecuteNonQuery()

Also, I would declare your SqlConnection in the same scope your other code is in.
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

Your INSERT statement is missing the names of the columns. Best practice is to include the names of the columns so that your SQL statements will work should someone later add one or more columns to the database table.

INSERT INTO EMPLOYEE (col1,col2,col3) Values(val1,val2,val3);

Also, when you put values directly from a TextBox into a SQL statement, your software is vulnerable to SQL Injection attacks. Best practice is to use SQLParameter Class to pass values to a parameterized SQL statement. It also performs better than when the variable value is embedded within the SQL statement.
INSERT INTO EMPLOYEE (col1,col2,col3) Values(@valName1,@valName2,@valName3);

Read this article: Use SQL Parameters to Overcome Ad Hoc Performance Issues[^]
PIEBALDconsult 25-Jan-13 10:01am
"missing the names of the columns"

With some databases, e.g. SQL Server, that's allowed if you are providing values to all the columns (in order). Lazy, but allowed.
Mike Meinz 25-Jan-13 10:05am
Thank you for your comment, PIEBALDconsult. It is allowed, as you say, but it is bad practice. When a programmer does not name the columns in the SQL statements, the software breaks when a new column is added to the database table. Best practice of naming the columns allows for adding columns to the database without breaking the software.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy |
Web01 | 2.8.180417.1 | Last Updated 25 Jan 2013
Copyright © CodeProject, 1999-2018
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100