Please help me I got error must declare the scalar variable "@branch".

Question

1.00/5 (3 votes)

See more:

public partial class Add_question : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
//if (!Page.IsPostBack)
//{
// DropDownList1.DataSource = DropDownList1.SelectedItem.Value;
// DropDownList1.DataBind();
//}
}
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\v11.0;AttachDbFilename=F:\AAAAAAAAAAA\FINGERPRINT\APP_DATA\QUESTIONS.MDF;Integrated Security=True;");
con.Open();
string str;
str = "insert into [questions] (Branch) values (@Branch) (Semister) values (@Semister) (Marks) values (@Marks) (Questions) values ('" + TextBox1.Text + "')";
SqlCommand cmd = new SqlCommand(str,con);

cmd.ExecuteNonQuery();
con.Close();

}
}

What I have tried:

i have try some other way but i got same error

Posted 31-Mar-17 23:32pm

Member 13045876

Updated 31-Mar-17 23:47pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2017-03-31T23:47:00

Please, learn what you are doing.
You have found some code on the internet, and copied some of it into your code without thinking about how it's supposed to work. You've then added some code to try and make it work differently.

That's not valid SQL, it's vulnerable to SQL Injection where your user can damage or delete your database, it's missing all the parameter values, and it's clear you don't know what you are doing.
The basic SQL you want to insert a row is like this:

SQL

INSERT INTO MyTableName (firstColumnNameToInsertInto, secondColumnNameToInsertInto, ...) VALUES (valueToInserttoColumn1, valueToInsertToColumn2, ...)

But you are then mixing parameters (which you don't provide) with string concatenation - and the concatenation is a big problem:

C#

string sql = "INSERT INTO MyTable (MyColumn) VALUES ('" + myTextBox.Text + "')";

That's string concatenation, and it gives total control of you DB to your user - just by typing in the text box he can do anything he likes.
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

But when you do use parameterised queries:

C#

string sql = "INSERT INTO MyTable (MyColumn) VALUES (@MyValue)";

You have to supply the parameter value:

C#

int myValueForTheColumn = 666;
string sql = "INSERT INTO MyTable (MyColumn) VALUES (@MyValue)";
SqlCommand cmd = new SqlCommand(sql, connection);
cmd.Parameters.AddWithValue("@MyValue", myValueForTheColumn);

Think about that lot, and see if you can work out what code you need to use to get this to work - it's not difficult!
Let me know how you get on.