Click here to Skip to main content
15,568,965 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
DataBase MySql

edData is a TextBox
content of edData.text = 08/03/2020

the field Data on MySql Table is DATETIME

What I have tried:

string Datas = edData.Text.Substring(6, 4) + "-" + edData.Text.Substring(3, 2) + "-"+ edData.Text.Substring(0, 2) + " 00:00:00,000";          

DateTime data = DateTime.ParseExact(Datas, "yyyy-MM-dd HH:mm:ss,fff", System.Globalization.CultureInfo.InvariantCulture);

const string quote = "\"";

string Query = "UPDATE tb_spese ";
                   Query += " SET id_codice = " + @idCodice + ",";
                   Query += " data = " + quote +  @Datas + quote + ",";
                   Query += " entrata = " + quote + entrata + quote;

ex.Message = "Incorrect date value: '2020-03-08 00:00:00,000' for column 'data' at row 1"
Posted
Updated 18-Mar-20 9:46am
Comments
ZurdoDev 18-Mar-20 13:29pm    
And the problem is? Other than the fact that it looks like you are butchering dates instead of just using dates and date controls.

1 solution

Don't do it like that!

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

And there's no need to manipulate the string like that before parsing the date. Just use the correct format in ParseExact:
C#
DateTime date = DateTime.ParseExact(edData.Text, "dd/MM/yyyy", System.Globalization.CultureInfo.InvariantCulture);

// TODO: Add a WHERE clause to limit which rows are updated:
const string Query = "UPDATE tb_spese SET id_codice = @idCodice, data = @date, entrata = @entrata"; 

using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(Query, connection))
{
    command.Parameters.AddWithValue("@idCodice", idCodice);
    command.Parameters.AddWithValue("@date", date);
    command.Parameters.AddWithValue("@entrata", entrata);
    
    // TODO: Add other parameters here for the WHERE clause.
    
    connection.Open();
    command.ExecuteNonQuery();
}

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900