Have you ever heard of SQL Injection
, which has been one of the top 10 application vulnerabilities for over 20 years? Your code is susceptible to it; you should
create a query by concatenating SQL commands with user input.
The proper way to put user input into an SQL Query is to use Parameters
]. In the .NET Framework it is a collection that is one of the properties of the command element.
Besides eliminating the security risks, it also takes care of the data-types so that you will not need to wrap text in single quotes etc. The code also looks a lot cleaner.
This is what your code could look like when implementing this
Cmd= new SqlCommand("Insert into table values (@T1, @T2, @T3, @T4, @CB1) ", con)
Reference: MS Docs : SqlParameterCollection.AddWithValue(String, Object) Method
Now onto your issue.... You really weren't clear in the question and did not provide sample input and desired results, so I can only assume that you want to have one row entered for each checkbox that is checked.
If you are using a newer version of SQL Server, there is a table function called STRING_SPLIT()
] which will return a table, splitting delineated values into rows
If your CheckBox
is returning a comma-delineated list, you can simple replace your
command with this line of T-SQL
INSERT into Table
SELECT @T1, @T2, @T3, @T4, value
FROM STRING_SPLIT(@CB1, ',')
Reference: MS Docs: STRING_SPLIT (Transact-SQL)