if not fill textbox value how it work successfully this satatement

Question

1.50/5 (2 votes)

See more:

, +

below SqlStatement values must enter other wise not work this sqlStatement. if we are not fill one textbox value, how it work successfully this statement.

C#

try
      {
          con.Open();
          SqlCommand cmd = new SqlCommand("INSERT INTO other_source_income VALUES ('" + txtOSIInterstFromBank.Text + "','"
          + txtOSITDSFromBank.Text + "','"
          + txtOSIInterestFromDebent.Text + "','"
          + txtOSITDSFromNSSWithdr.Text + "','"
          + txtOSIAccuredInterstOnNSC.Text + "','"
          + txtOSITotalIncome.Text + "','"
          + txtOSITotalTDS.Text + "','"
          + txtOSISalary.Text + "','"
          + txtOSIProfessionalTax.Text + "','"
          + txtOSIPFDeduction.Text + "','"
          + txtOSITDS.Text + "')", con);


          cmd.ExecuteNonQuery();
      }


      catch (SqlException ex)
      {
          Response.Write(ex.Message.ToString());
      }
      finally
      {
          con.Close();
      }

Posted 11-May-12 18:10pm

2011999

Updated 11-May-12 18:13pm

sravani.v

v2

Add a Solution

Comments

Sergey Alexandrovich Kryukov 12-May-12 0:27am

Perhaps first thing to think about it: why should it work successfully? :-)
--SA

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2012-05-11T18:26:00

Bad, really bad idea.

One problem of your code is string concatenation. Repeated concatenation is a bad operation, because strings are immutable, so it's a performance problem. Should I explain why? The class System.Text.StringBuilder and the method String.Format are free from this problem.

But much bigger problem is the purpose of your concatenation. This is really a fatal mistake, from the security standpoint. The problem is: you compose a command using the strings taken from the UI, from the user input. But the user can input anything, including some SQL fragments (no, filtering them out is not serious). This opens wide doors to the well-known exploit called SQL injection. Never do it. Please read about this exploit and pay special attention for the importance of parameterized statements:
http://en.wikipedia.org/wiki/SQL_injection[^].

You need to use SQL command parameters. Please read about using command parameters in ADO.NET:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].

—SA

Clifford Nelson · Answer 2 · 2012-05-11T19:25:00

Solution 2

What I usually do in a situation like this is put the sql statement in a string, then in debug mode can copy the statement and then use SQL-Server management console to execute the statement. Usually gives me a good idea of what the real problem is. Also SA is totally right.

Posted 11-May-12 19:25pm

Clifford Nelson