Data not in insert in table no eeror display

Question

0.00/5 (No votes)

See more:

C#

if (txtpassword.Text == txtconform.Text)
                {
                    
                    con.Open();
                    string str1 = "insert into ram(fn,ln,un,pw,con,bod,q1,ans1,q2,ans2) values('" + txtfirstname.Text + "','" + txtlastname.Text + "','" + txtusername.Text + "','" + txtpassword.Text + "','" + txtcontake.Text + "','" + txtdateTimePicker.Value+ "','" + cmbq1.Text + "','" + txtans1.Text + "','" + cmbq2.Text + "','" + txtans2.Text + "')";
                    SqlCommand cmd = new SqlCommand(str1, con);
                    cmd.ExecuteNonQuery();
                    MessageBox.Show("Data Save");
                    con.Close();
                    reset();
                }
                else
                {
                    MessageBox.Show("Plase reenter your conform password");
                    txtconform.Text = "";
                    txtconform.Focus();
                }

What I have tried:

query is execute but data not insert in table if program ranning then inputed data work but turminet program than it not insert or not work this data

Posted 27-Mar-16 8:02am

Member 12419474

Updated 27-Mar-16 11:53am

CHill60

v2

Add a Solution

Comments

F-ES Sitecore 27-Mar-16 14:28pm

If you're not getting an error you probably have your code inside a try\catch block that is ignoring the error, so step through the code in the debugger to see if it goes into the "if" branch and if an exception is raised.

Also convert your code to use parameterised queries (google "ado.net paramaterised queries") as it is open to SQL injection attacks and will help you think about the type safety of your parameters. Finally use SQL Profiler to examine the actual query executed to see if you can see the issue from there.

RickZeeland 27-Mar-16 15:50pm

Adding to the advice of F-ES Sitecore I would like to recommend testing your queries first in SQL Server Management Studio, also I prefer using ExpressProfiler which is a lot easier to use: https://expressprofiler.codeplex.com/

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CHill60 · Answer 1 · 2016-03-27T11:53:00

Your query is vulnerable to SQL Injection attacks. You should use parameterized queries to build your sql query from user input, not concatenated strings.

Many students (in particular) counter that comment with "but I am the only one using the database". However using parameterized queries can often overcome other issues such as mismatched single quotes, date formats etc.

Change your query to something like this

C#

var con = new SqlConnection();
con.Open();
string str1 = "insert into ram(fn,ln,un,pw,con,bod,q1,ans1,q2,ans2) values(@firstname,@lastname,@username,@password,@contake,@dateTime,@cmbq1,@ans1,@cmbq2,@ans2)";
SqlCommand cmd = new SqlCommand(str1, con);
cmd.Parameters.AddWithValue("@firstname", txtfirstname.Text);
cmd.Parameters.AddWithValue("@lastname", txtlastname.Text);
cmd.Parameters.AddWithValue("@username", txtusername.Text);
cmd.Parameters.AddWithValue("@password", txtpassword.Text);
cmd.Parameters.AddWithValue("@contake", txtcontake.Text);
cmd.Parameters.AddWithValue("@datetime", txtdateTimePicker.Value);
cmd.Parameters.AddWithValue("@cmbq1", cmbq1.Text);
cmd.Parameters.AddWithValue("ans1", txtans1.Text);
cmd.Parameters.AddWithValue("@cmbq2", cmbq2.Text);
cmd.Parameters.AddWithValue("ans2", txtans2.Text);

I agree with @FES-Sitecore, if you are not getting an error reported then you probably have a try-catch block where you are ignoring the error. However, it is likely to have been the date (txtdateTimePicker.Value) that caused the error. Using the parameters as suggested above may overcome that problem as well, it depends on the type of column bod