Click here to Skip to main content
15,942,710 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
below i write my sql query

"Insert into tblpayfee(regno,sname,lastname,course,sem,date,fee_amt,paid_amt,remain_amt,fine,tot_amt,amt_words)values('" + txtregno.Text + "','" + txtname.Text + "','" + txtlastname.Text + "','" + txtcourse.Text + "','" + DropDownList2.SelectedItem.ToString() + "','" + txtfeedate.Text + "','" + txtfeeamount.Text + "','" + txtpaidamt.Text + "','" + txtremainamt.Text + "','" + txtfineamt.Text + "','" + txttotamt.Text + "'," + txtamt_words + ")";

but i face problem in execution of this query

The name "System.Web.UI.WebControls.TextBox" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted.<br />

how can solve this problem pls help me

- Suraj
Updated 14-May-13 4:46am
[no name] 14-May-13 10:53am    
You really should be using parameterized queries instead of string concatenation to prevent SQL injection attacks.

As mentioned in Solution-1 use txtamt_words.Text.

You are using inline query and passing your Input/TextBox values into it. This is a potential risk of SQL Injection.

Have a look at below links to uderstand SQL Injection.

Solution:- Instead use parameterized query. Have a look at below link.
Share this answer
Maciej Los 14-May-13 11:07am    
+5Complete answer!
you forgot to use the text property on txtamt_words, use this instead "txtamt_words.Text"
Share this answer
Maciej Los 14-May-13 10:52am    
That could be it!
+4, because answer is not complete ;(
Yuriy Loginov 14-May-13 11:13am    

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900