-4

Link-1 shows the Error Link-2 shows the Code

try
{

    int i = 0;
    using (SqlConnection sqlCon = new SqlConnection(Form1.connectionString))
    {

        string commandString = "INSERT INTO Logindetail (Account,ID,Logint,Logoutt) values ('" + acc + "'," + textbxID.Text + "," + null + ", SYSDATETIME()" + ");";
            // MessageBox.Show(commandString);
            SqlCommand sqlCmd = new SqlCommand(commandString, sqlCon);
            sqlCon.Open();
            SqlDataReader dr = sqlCmd.ExecuteReader();
            i = 1;
            if (i == 0)
            {
                MessageBox.Show("Error in Logging In!", "Error");
            }
            MessageBox.Show("Successfully Logged In");

    }

}
catch (Exception ex)
{
    MessageBox.Show(ex.ToString());
}

I'm making a LoginForm for a Project.I have created a table which shows the LoginDetails(Account,ID,LoginTime,LogoutTime).But when I run the Program,it doesn't runs successfully.I face an error which is in Pic-2.When I remove sql 'data reader',the program runs without displaying the error.

rene
  • 41,474
  • 78
  • 114
  • 152
Hafiz M Taha Waseem
  • 71
  • 2
  • 11
  • Any help would be appreciated.... – Hafiz M Taha Waseem Aug 27 '17 at 07:12
  • Do not post pictures showing the errors and code but the error and code themselves. Also please do not use string concatenations... its SQL Injection susceptible - use parameterized queries - It'll also solve your current problem – Gilad Green Aug 27 '17 at 07:13
  • I didn't get it..... Kindly,if u will send me the link,it would be easier for me... Thanks – Hafiz M Taha Waseem Aug 27 '17 at 07:15
  • [SQL Injection alert](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - you should **not** concatenate together your SQL statements - use **parametrized queries** instead to avoid SQL injection - check out [Little Bobby Tables](https://xkcd.com/327/) – marc_s Aug 27 '17 at 07:16
  • see https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements – rene Aug 27 '17 at 07:17
  • Sorry! Can you resolve directly my problem.... I didn't understand from the link. – Hafiz M Taha Waseem Aug 27 '17 at 07:19
  • Please check my post – Reyan Chougle Aug 27 '17 at 07:29
  • @HafizMTahaWaseem - Remove the semi-colon from `SYSDATETIME()" + ");"`. – Am_I_Helpful Aug 27 '17 at 07:34
  • The reason is that you are inserting records in db so you need to use `ExecuteNotQuery()` which returns no of affected rows: `i = sqlCmd.ExecuteNonQuery();` . `ExecuteReader()` is used while selecting data from db. – mmushtaq Aug 27 '17 at 07:34
  • Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – mjwills Aug 27 '17 at 08:32

1 Answers1

2

When you concatenate a null it basically adds nothing to the string, so this code:

string commandString = "INSERT INTO Logindetail (Account,ID,Logint,Logoutt) values ('" + acc + "'," + textbxID.Text + "," + null + ", SYSDATETIME()" + ");";

results of this string, and as you can see it has an extra comma, that causes the exception:

"INSERT INTO Logindetail (Account,ID,Logint,Logoutt) values ('acc',textbxID,, SYSDATETIME());"

If you want to add NULL to the query it has to be a string, so do this instead:

string commandString = "INSERT INTO Logindetail (Account,ID,Logint,Logoutt) values ('" + acc + "'," + textbxID + ", NULL , SYSDATETIME()" + ");";

And you are using ExecuteReader instead of ExecuteNonQuery. You cannot use ExecuteReader for inserting rows to the DB.

Also, as someone mentioned in the other answer, you better do it with parametes to avoid SQL Injections.

Milana
  • 557
  • 9
  • 20