Hi Jayanta,
Looks like a
quotation marks and
single quotation problem.
You need to make sure that in your INSERT string you don't have single quote
(') since that messes up the SQL query.
This is one of the most common ways to attack a DB, it's
SQL Injection
Here's an example on how use parametes:
string sqlIns = "INSERT INTO table (name, information, other) VALUES (@name, @information, @other)";
db.Open();
try
{
SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("@name", info);
cmdIns.Parameters.Add("@information", info1);
cmdIns.Parameters.Add("@other", info2);
cmdIns.ExecuteNonQuery();
cmdIns.Dispose();
cmdIns = null;
}
catch(Exception ex)
{
throw new Exception(ex.ToString(), ex);
}
finally
{
db.Close();
}
Cheers,
Edo