1

I got a situation here. I need to insert values into tables depending on what a user provides on the Window form. If a good does not exist and more than is necessary is acquired the the excess must be entered into a table called "BulkAvailable" this is where a big exists in my code as when I comment this part out the code runs well. Please find the piece of code below

           try
            {
                SqlConnection con = new SqlConnection("Data Source=PV10\\LOCALSERVER;Initial Catalog=SmallSoftwareDB;Integrated Security=True;Pooling=False");
                con.Open();
                float a = float.Parse(textBox8.Text, System.Globalization.CultureInfo.InvariantCulture);
                int b = int.Parse(textBox9.Text);
                float c = a * b;
                var T = c.ToString(System.Globalization.CultureInfo.InvariantCulture);

                float x = float.Parse(textBox4.Text, System.Globalization.CultureInfo.InvariantCulture);
                int z = int.Parse(textBox3.Text);
                float y = x * z;
                var total = y.ToString(System.Globalization.CultureInfo.InvariantCulture);

                int d = b - z;

                string uba = "insert into BulkSale(ProductName, ProductSource, Date, Quantity, Type, UnitPrice, Total, Nature) values('" + textBox1.Text + "', '" + textBox2.Text + "', '" + dateTimePicker1.Value + "', '" + textBox3.Text + "', '" + textBox6.Text + "', '" + textBox4.Text + "', '" + textBox5.Text + "', '"+textBox7.Text+"')";
                string A = "insert into BulkInput(ProductName, ProductSource, Date, Quantity, Type, UnitPrice, Total, Nature) values('"+textBox1.Text+"','"+textBox2.Text+"','"+dateTimePicker1.Value+"','"+b+"','"+textBox6.Text+"','"+a+"','"+c+"', '"+textBox7.Text+"')";
                SqlCommand cmd = new SqlCommand(uba, con);
                SqlCommand X = new SqlCommand(A, con);
                cmd.ExecuteNonQuery();
                X.ExecuteNonQuery();

                try
                {
                    if (int.Parse(textBox9.Text) > int.Parse(textBox3.Text))
                    {
                        string B = "insert into BulkAvailable(ProductSource,ProductName,Date,Quantity,Type) values('" + textBox2.Text + "','" + textBox1.Text + "','" + dateTimePicker1.Text + "','" + d + "','" + textBox6.Text + "')";
                        SqlCommand Bc = new SqlCommand(B, con);
                        Bc.ExecuteNonQuery();
                    }

                    else
                    {
                        MessageBox.Show("You successfully Bought and Sold", " ", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
                    }
                }
                catch (Exception aze)
                {
                    MessageBox.Show(aze.Message, " ", MessageBoxButtons.OK, MessageBoxIcon.Warning);
                }

                MessageBox.Show("Operation Successfully Executed", " ", MessageBoxButtons.OK, MessageBoxIcon.Information);
                con.Close();
            }
            catch (Exception er) 
            {
                MessageBox.Show(er.Message, " ", MessageBoxButtons.OK, MessageBoxIcon.Warning);
            }
        }

When I run the code it returns an exception message: "String of binary data would be truncated. The statement has been terminated"

Mostafiz
  • 7,243
  • 3
  • 28
  • 42
Indra
  • 43
  • 1
  • 6
  • 1
    in which line number? – Vivek Nuna Oct 18 '16 at 16:37
  • 3
    You need to rewrite this to use a [paramaterized insert](http://stackoverflow.com/questions/35163361/how-can-i-add-user-supplied-input-to-an-sql-statement), you are vulnerable to SQL injection. (Put a `'` in one of the textboxes and see what happens) – Alex K. Oct 18 '16 at 16:39
  • 4
    The error is because you are attempting to put text into a table column that exceeds the maximum length of that column. – Alex K. Oct 18 '16 at 16:39
  • You leak resources because you leave undisposed much which should be disposed – Alex K. Oct 18 '16 at 16:40
  • 1
    **Do not try this!!!** *Imagine* a malicious user typing in `');drop table BulkInput` into textbox 7. What do you think would happen? Try mentally constructing `string A` to help yourself recognize the grave danger of constructing SQL from strings provided by end-users. – Sergey Kalinichenko Oct 18 '16 at 16:42
  • Actually talking about sql injection. I've been trying this out with no success at all(on my own code so I could really appreciate the threat) Could anyone show me how to bring out the vulnerability of string concatenation in sql? – Indra Oct 19 '16 at 21:17

1 Answers1

1

You should check your fields in database. This error means that you are tring to insert string with more length than the boundaries of the field.

So for an example if you have db field ProductName defined as varchar(50) and you try to insert value which have 52 characters in it, you will receive this error.

We can't tell you on which exact field this happen, you should check it manually. You can try to execute the query in the DB and see if the error gives you the field name, but in the past this not happen.

You should implement some validation checks about your fields, if they go over some Length show an error message or cut the string using Substring method.

mybirthname
  • 17,949
  • 3
  • 31
  • 55
  • 1
    Hopefully OP sees a much larger issue at hand... which is that what he's written has SQL injection vulnerabilities everywhere. – dvsoukup Oct 18 '16 at 16:44
  • if (int.Parse(textBox9.Text) > int.Parse(textBox3.Text)) { string B = "insert into BulkAvailable(ProductSource,ProductName,Date,Quantity,Type) values('" + textBox2.Text + "','" + textBox1.Text + "','" + dateTimePicker1.Text + "','" + d + "','" + textBox6.Text + "')"; SqlCommand Bc = new SqlCommand(B, con); Bc.ExecuteNonQuery(); } – Indra Oct 18 '16 at 16:59
  • @Indra so check all the fields which take this textBoxes.Text and see their definition in database. Like I said we can't tell you which field creates the problem. You should check it by yourself – mybirthname Oct 18 '16 at 17:01
  • Thanks Y'all. I'll cross check as advices. I'll keep y'all posted – Indra Oct 18 '16 at 17:13
  • @Indra if the answer helped you, you can mark it as correct. – mybirthname Oct 18 '16 at 17:42