Click here to Skip to main content
14,694,371 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
DataBase MySql

edData is a TextBox
content of edData.text = 08/03/2020

the field Data on MySql Table is DATETIME

What I have tried:

string Datas = edData.Text.Substring(6, 4) + "-" + edData.Text.Substring(3, 2) + "-"+ edData.Text.Substring(0, 2) + " 00:00:00,000";          

DateTime data = DateTime.ParseExact(Datas, "yyyy-MM-dd HH:mm:ss,fff", System.Globalization.CultureInfo.InvariantCulture);

const string quote = "\"";

string Query = "UPDATE tb_spese ";
                   Query += " SET id_codice = " + @idCodice + ",";
                   Query += " data = " + quote +  @Datas + quote + ",";
                   Query += " entrata = " + quote + entrata + quote;

ex.Message = "Incorrect date value: '2020-03-08 00:00:00,000' for column 'data' at row 1"
Posted
Updated 18-Mar-20 9:46am
Comments
ZurdoDev 18-Mar-20 13:29pm
   
And the problem is? Other than the fact that it looks like you are butchering dates instead of just using dates and date controls.

1 solution

Don't do it like that!

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

And there's no need to manipulate the string like that before parsing the date. Just use the correct format in ParseExact:
DateTime date = DateTime.ParseExact(edData.Text, "dd/MM/yyyy", System.Globalization.CultureInfo.InvariantCulture);

// TODO: Add a WHERE clause to limit which rows are updated:
const string Query = "UPDATE tb_spese SET id_codice = @idCodice, data = @date, entrata = @entrata"; 

using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(Query, connection))
{
    command.Parameters.AddWithValue("@idCodice", idCodice);
    command.Parameters.AddWithValue("@date", date);
    command.Parameters.AddWithValue("@entrata", entrata);
    
    // TODO: Add other parameters here for the WHERE clause.
    
    connection.Open();
    command.ExecuteNonQuery();
}

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900