-2

I put a SQL statement into a button in visual to make it insert data in the DB and when I touch it, this error happens:

Conversion from string "Insert into TBL_Usuario_102 valu" to type 'Double' is not valid.

This is the code that's in the button:

 Private Sub Guardar_Click(sender As Object, e As EventArgs) Handles Guardar.Click
    If NombreDePersona.Text <> "" And Cedula.Text <> "" And RepetirContraseña.Text <> "" And Contraseña.Text <> "" Then
        If (RepetirContraseña.Text = Contraseña.Text) Then


            instruccionSQL = New SqlClient.SqlCommand("Insert into TBL_Usuario_102 values" +
            "(" + Cedula.Text + "," +
            NombreDePersona.Text + "," + 3 +
            "," + Contraseña.Text + "," +
            FechaInclusion.Text + "," + 0 +
            "," + FechaInclusion.Text + "," + 3 + ")")

            MsgBox("Datos Guardados Correctamente")
            Cedula.Clear()
            NombreDePersona.Clear()
            Contraseña.Clear()
            RepetirContraseña.Clear()


        Else
            MsgBox("Las contraseñas no coinciden")
        End If
    Else
        MsgBox("Escriba en Cada Campo")
    End If

End Sub

The SQL connection is in a module and it working good because when I insert the data manually in SQL Server the login works fine.

The type of data in the table of the database is in this order

  1. varchar(15)
  2. varchar(20)
  3. int
  4. varchar(50)
  5. datetime
  6. bit
  7. datetime
  8. int
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Simpson G.
  • 111
  • 8
  • Possible duplicate of [How can I add user-supplied input to an SQL statement?](https://stackoverflow.com/questions/35163361/how-can-i-add-user-supplied-input-to-an-sql-statement) – Igor Mar 24 '18 at 01:53
  • 1. Your code is _wide open_ to Sql Injection hacking. 2. Turn on `Option Strict`. 3. The concatenation operator for VB.Net is `&` and not `+`. Because you have `+ 3 +` in your code, VB is likely trying to implicitly trying to convert that to a numeric form, resulting in your error,. – Chris Dunaway Mar 26 '18 at 15:06
  • The problem is probably caused by using '+' operator between string and number (e.g 3) try to use string concatenation operator & or string "3" – IvanH Mar 27 '18 at 15:00

1 Answers1

1

Creating a SQL string like this is dangerous, as it can lead to SQL injection attacks. Usually it is recommended to use command parameters; however, you can also escape single quotes in strings by doubling them. This should make such an attack impossible. Command parameters also have the advantage that you don't have to care about the formatting of strings (and escaping them), numbers, Booleans and dates. E.g. see: How to pass a parameter from vb.net.

As it is now, there is another problem with your SQL statement. Strings must be enclosed in single quotes. Also use & for string concatenation. Not + (it's this + which let's VB think that you want to add Doubles).

The type of your texts and numbers inputs does not seem to match the one in the table (is NombreDePersona a varchar(20)?) and you are inserting FechaInclusion twice.

I would also specify the column names explicitly

INSERT INTO TBL_Usuario_102 (column_name1, column_name2, ...) values ('a text', 3, ...)

Finally, you don't execute your command. After having opened a connection:

instruccionSQL.ExecuteNonQuery()
Olivier Jacot-Descombes
  • 104,806
  • 13
  • 138
  • 188