Click here to Skip to main content
16,015,414 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
i am using below code. system is generating invalid operation exception at line

com.ExecuteNonQuery();

please suggest

SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=.\\SQLEXPRESS;Initial Catalog=master";
string q = "insert into category_name(category_name) values('" + TextBox1.Text + "')";
SqlCommand com = new SqlCommand(q, con);
com.ExecuteNonQuery();
Response.Write("alert('Category successfully registered')");
con.Close();

What I have tried:

SqlConnection con = new SqlConnection();
        con.ConnectionString = "Data Source=.\\SQLEXPRESS;Initial Catalog=master";
        string q = "insert into category_name(category_name) values('" + TextBox1.Text + "')";
        SqlCommand com = new SqlCommand(q, con);
        com.ExecuteNonQuery();
        Response.Write("<script>alert('Category successfully registered')</script>");
        con.Close();
Posted
Updated 22-Jul-17 16:09pm
Comments
Graeme_Grant 22-Jul-17 22:14pm    
Is there an InnerException?

Don't do it like that! Never concatenate strings to form an SQL command - always use Parameterized queries instead or you are at risk of SQL Injection which lets users damage or destroy your database just by typing in a textbox.

Fix that in the code you show - and everywhere else in your app - and your problem will probably go away at the same time.
 
Share this answer
 
Comments
Member 12950401 22-Jul-17 13:50pm    
sir..i am new to this..how to write parameterized queries
In your code I see you are using 'master' database, this is is a system database. I don't think you are intentionally using this. Change the database to the one in which you have created category_name table. Also make the query parameterized instead of injecting values directly as this is vulnerable to sql injection attack. For parameterized query you can do like this..

string strQuery;

SqlCommand cmd;

strQuery = "insert into customers (CustomerID, CompanyName) values(@CustomerID, @CompanyName)";

cmd = new SqlCommand(strQuery);

cmd.Parameters.AddWithValue("@CustomerID", "A234");

cmd.Parameters.AddWithValue("@CompanyName", "DCB");
 
Share this answer
 
Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900