add user input in database

Question

I am trying to implement this

    Console.WriteLine("Enter Name: ");
    this.name = Console.ReadLine();
    string sql1 = "insert into items values ( " + this.name ")";
    DataAccess.ExecuteSQL(sql1);

when I try to input data through this it showing error about , unhanded exception , column name or number not found.

I am sure column name is ok and I gave it varchar(50) type. Is this method not permitted?

Thank you in advance.

you are asking this question again?? just couple of mins after?? — Manish Mishra, Mar 23 '13 at 18:54
Lots of similar questions on SO such as: http://stackoverflow.com/q/8389803/9664 — Metro Smurf, Mar 23 '13 at 18:55
Voting to close. OP, don't post the same question multiple times. [add user input in database](http://stackoverflow.com/questions/15590469/add-user-input-in-database) — keyboardP, Mar 23 '13 at 18:55
OK, I didn't know that. I will be careful in future @keyboardP — eshmam, Mar 23 '13 at 18:58

Glen Hughes · Answer 1 · 2013-03-23T19:00:38.653

0

You need to provide quotes if the field is a varchar:

string sql1 = "insert into items values ( '" + this.name + "')";

Be careful of sql injection though, parameterized queries are better.

edited Mar 23 '13 at 19:00

answered Mar 23 '13 at 18:53

Glen Hughes

4,712
2
20
25

score 0 · Accepted Answer · answered Mar 23 '13 at 18:54

Well first of all you don't have quotes around your string. You're also missing a plus sign. It should be like:

string sql1 = "insert into items values ( '" + this.name + "')";

However, this is a really bad way of handling your SQL queries through C#. You should be using parameterized queries! There are a lot of bad things that can happen to your database if you do things like this...

See the example of using the SqlCommand class with parameters at the bottom of this page: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters.aspx

add user input in database

2 Answers2