Radio button value in SQL database

Question

I am working on basic website with a SQL database using Visual Studio 2013. On the sign up form there are radio button selections of male or female. Im using asp.net.

<div class="radio-inline" style="padding-left: 0px;">
    <label class="labelinput">Gender:</label>
    <label class="radio-inline">
        <input class="radio" type="radio" value="male" id="male"     
            name="gender" checked="checked"/>
        <p style="margin: 0; padding-left: 20px; color: black; 
            font-size: 1.4em;">Male</p>
    </label>
    <label class="radio-inline">
        <input class="radio" type="radio" value="female" id="female" name="gender" />
        <p style="margin: 0; padding-left: 20px; color: black;
            font-size: 1.4em;">Female</p>
    </label>
</div>

What I tried doing was adding a column of 'gender' in the database. Then in the c# part I wrote this:

string gender = Request.Form["gender"];

I use a class that contains functions to connect to the database. The class's name is 'Eitan'. One of the functions is to connect to the database and perform the sql line:

public static void DoQuery(string fileName, string sql)
{
    SqlConnection conn = ConnectToDb(fileName);
    conn.Open();
    SqlCommand com = new SqlCommand(sql, conn);
    com.ExecuteNonQuery();
    com.Dispose();
    conn.Close();
}

My sql line is:

string sql;
sql = "insert into users(fullname, username, password, email, cell, birthday, adress, gender)";
sql += " values('" + fullname + "','" + username + "','" + password + "','" + email + "','" + cell + "','" + birthday + "','" + adress + "','" + gender + "')";

(I have more than just the gender) The filename (database file name):

string filename = "database.mdf";

So I use the function with the filename and sql sentence, and when I fill out the form and press submit it brings me back to 'com.ExecuteNonQuery();' in the function DoQuery and shows me this error:

An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code Additional information: Invalid column name 'gender'.

Any ideas what I should do?

Please be aware that your code is vulnable to [SQL Injection Attacks](http://stackoverflow.com/q/332365/419956), which is a serious thing. — Jeroen, Jun 05 '15 at 09:51
Check your database if the column name gender exist, also read what is sql injection. — mybirthname, Jun 05 '15 at 09:51
What is name of your column in which you store value of gender ? — Mairaj Ahmad, Jun 05 '15 at 10:16
I suspect the problem may be in your `ConnectToDb` function. Is it connecting the the right database? — Diego, Jun 05 '15 at 17:36
Please add an `insert into users` query that can be done without any error directly in your SQL Server ;). — shA.t, Jun 06 '15 at 16:26

score 0 · Answer 1 · answered Jul 07 '15 at 06:23

1- Make sure Users Table columns
(fullname, username, password, email, cell, birthday, adress, gender)
2- Use prefer "Stored Procedure" or below code for crud operation (also for SQL Injection Attacks)

String sql = "INSERT INTO USERS (fullname, username, password, email, cell, birthday, adress, gender)  
     VALUES(@fullname,@username,@password, @email,@cell,@birthday,@adress, @gender)";

SqlCommand command = new SqlCommand(sql, db.Connection);
command.Parameters.Add("@fullname",fullname);
command.Parameters.Add("@username",username);
command.Parameters.Add("@password",password);
command.Parameters.Add("@email",email);
command.Parameters.Add("@cell",cell);
command.Parameters.Add("@birthday",birthday);
command.Parameters.Add("@adress",adress);
command.Parameters.Add("@gender",gender);

command.ExecuteNonQuery();

Radio button value in SQL database

1 Answers1