2

c# asp.net - inserting data into database( dont knw where iam goin wrong) - this code is executing but not working at all ! i tried to feed data through the website i created but it wont reflect it in my database at all plz help !!!! 

using System;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page

{
    SqlConnection con = new SqlConnection("Data Source=GARGI-PC\\ROOT;Initial Catalog=master;Integrated Security=True");
    protected void page_load(object sender, EventArgs e)
    {}

    public void refress()
    {

        comment1.Text = "";

        software1.Checked = true;

        hardware1.Checked = false;

        both1.Checked = false;

        others.Checked = false;
    }
    protected void btn(object sender, EventArgs e)
    {
        string type = string.Empty ;

        if (hardware1.Checked == true)
        {
            type =  "hardware";
        }
         if (software1.Checked == true)
        {
            type = "software";
        }
         if (both1.Checked == true)
        {
            type = "both";
        }
         if (others.Checked == true)
        {
            type = "others";
        }



        SqlCommand cmd = new SqlCommand("insert into main_page (type, discription,time) values('" + type + "','" + comment1.Text + "','" + "','"+"now()')", con);

        cmd.CommandType = CommandType.Text;

        try

        {

            con.Open();

            cmd.ExecuteNonQuery();

            con.Close();

            refress();

        }

        catch (Exception ex)

        { 

        }

    }

   public void btn_clear(object sender, EventArgs e)

    {
        refress();

    }

}
Improve this question

2 Answers 2

Reset to default
3

Looks like you have a double comma in your INSERT statement.

+ "','" + "','"

The INSERT statement should look like:

INSERT INTO main_page (type, description, time) VALUES ('Type', 'Description', NOW())

Also you are vulnerable to SQL injection, you should paramerterize your queries for all of your inputs rather than trusting the data from your users. As a basic example:

MySqlCommand command = new MySqlCommand("INSERT INTO main_page (Description) VALUES @Description");
command.Parameters.AddWithValue("@Description", comment1.Text);

This would protect you if a user entered a SQL statement within the Comment1 textbox.

ArbitaryData; DROP TABLE main_page;
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You really should use the command parameters. Here, try this as an example:

public static void AddSong(Songs s)
    {
        using (SqlConnection sqlcon = new SqlConnection(SQL_getConnectionString.conStr()))
        {
            sqlcon.Open();
            try
            {
                string query = "INSERT INTO Songs VALUES(@Id, @Name, @Artist, @Album, @TrackNumber, @TrackNumberCount, " +
                    "@Genre, @Rating, @Tags, @Subject, @Categories, @Comments, @FileName, @FolderName, @FolderPath, " +
                    "@FullPath, @Length, @PlayCount, @SkipCount, @LastPlayed)";

                using (SqlCommand cmd = new SqlCommand(query, sqlcon))
                {
                    cmd.Parameters.Add("@Id", SqlDbType.Int).Value = s.Id;
                    cmd.Parameters.Add("@Name", SqlDbType.VarChar, 250).Value = s.Name;
                    cmd.Parameters.Add("@Album", SqlDbType.VarChar, 250).Value = s.Album;
                    cmd.Parameters.Add("@Artist", SqlDbType.VarChar, 250).Value = s.Artist;
                    cmd.Parameters.Add("@TrackNumber", SqlDbType.Int).Value = s.TrackNumber;
                    cmd.Parameters.Add("@TrackNumberCount", SqlDbType.Int).Value = s.TrackNumberCount;
                    cmd.Parameters.Add("@Genre", SqlDbType.VarChar, 500).Value = s.Genre;
                    cmd.Parameters.Add("@Rating", SqlDbType.Int).Value = s.Rating;
                    cmd.Parameters.Add("@Tags", SqlDbType.VarChar, 500).Value = s.Tags;
                    cmd.Parameters.Add("@Subject", SqlDbType.VarChar, 500).Value = s.Subject;
                    cmd.Parameters.Add("@Categories", SqlDbType.VarChar, 500).Value = s.Categories;
                    cmd.Parameters.Add("@Comments", SqlDbType.VarChar, -1).Value = s.Comments;
                    cmd.Parameters.Add("@FileName", SqlDbType.VarChar, 500).Value = s.FileName;
                    cmd.Parameters.Add("@FolderName", SqlDbType.VarChar, 500).Value = s.FolderName;
                    cmd.Parameters.Add("@FolderPath", SqlDbType.VarChar, -1).Value = s.FolderPath;
                    cmd.Parameters.Add("@FullPath", SqlDbType.VarChar, -1).Value = s.FullPath;
                    cmd.Parameters.Add("@Length", SqlDbType.VarChar, 50).Value = s.Length;
                    cmd.Parameters.Add("@PlayCount", SqlDbType.Int).Value = s.PlayCount;
                    cmd.Parameters.Add("@SkipCount", SqlDbType.Int).Value = s.SkipCount;
                    cmd.Parameters.Add("@LastPlayed", SqlDbType.VarChar, 50).Value = s.LastPlayed;

                    int rows = cmd.ExecuteNonQuery();
                    sqlcon.Close();

                }

            }
            catch (Exception ex)
            {
                Console.WriteLine("Could not insert. {0}", s.Name);
                Console.WriteLine("Error Message {0}", ex.Message);
            }


        }
    }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.