Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
The chances are that that will cure your problem at the same time.
using (SqlCommand cmd = new SqlCommand("insert into rsa_addtocart(UserId,productid,productname,ProductImage,price,qty,totalcost,cdate)values(@UID, @PID, @PN, @PI, @PR, @QTY, @TC, GETDATE())", con))
{
cmd.Parameters.AddWithValue("@UID", Convert.ToInt32(Session["users"]));
cmd.Parameters.AddWithValue("@PID", Convert.ToInt32(ds.Tables[0].Rows[0][0]);
cmd.Parameters.AddWithValue("@PN", ds.Tables[0].Rows[0][1]);
cmd.Parameters.AddWithValue("@PI", ds.Tables[0].Rows[0][3]);
cmd.Parameters.AddWithValue("@PR", Convert.ToDecimal(ds.Tables[0].Rows[0][2]);
cmd.Parameters.AddWithValue("@QTY", 1);
cmd.Parameters.AddWithValue("@TC", Convert.ToDecimal(ds.Tables[0].Rows[0][2]);
cmd.ExecuteNonQuery();
}
[edit]Missed that hard coded value![/edit]