-8

My code is as follow
protected void Button1_Click(object sender, EventArgs e) { SqlConnection con = new SqlConnection(mycon);

     **strong text**

        string str = "insert into CustomerHistoryAD(customerId,checkNumber,bank,city,date,amount) values('" + tb_customerID.Text + "','" + tb_CheckNumber.Text + "','" + tb_bank.Text + "','" + tb_city.Text + "','" + tb_date.Text + "','" + tb_Amount.Text + "')";
    sqlq(str);
 lbl0.Text = " DataSaved Successfully ";
 tb_Notification.Text = "Record of Customer ID '"+tb_customerID.Text+"' is Submitted";


}
protected void Button2_Click(object sender, EventArgs e)
{

    string query = "insert into notification(message) values('" + tb_Notification.Text+ "')";
    String mycon = "Data Source=DESKTOP-79IQ2D8; Initial Catalog=ForexMedia; Integrated Security=true";
    SqlConnection con = new SqlConnection(mycon);
    con.Open();
    SqlCommand cmd = new SqlCommand();
    cmd.CommandText = query;
    cmd.Connection = con;
    cmd.ExecuteNonQuery();
    Label3.Text = "Notification Sent";
    tb_Notification.Text = "";
}
Ubaid Ur Rahman
  • 11
  • 6
  • 5
    There is a reason SO does not let you post 100% code and nothing else... – Freggar Jun 25 '18 at 08:39
  • https://stackoverflow.com/help/how-to-ask – Freggar Jun 25 '18 at 08:39
  • 2
    When you've edited and formatted your post to include a question, have a look at [Sql Injection](https://stackoverflow.com/questions/601300/what-is-sql-injection) – StuartLC Jun 25 '18 at 08:41
  • https://stackoverflow.com/questions/542510/how-do-i-create-a-parameterized-sql-query-why-should-i – SehaxX Jun 25 '18 at 08:43
  • 2
    If you do some simple debugging you may find an answer. Such as put in a breakpoint, check the value of query - look at the SQL. Right now if someone enters 3'998 you'll end up with an error because it will stop the string and leave 998 at the end. We talk of minimal viable examples https://stackoverflow.com/help/mcve so we can help.. otherwise you need to help yourself – BugFinder Jun 25 '18 at 08:54

1 Answers1

2

There must be a problem in one of your input parameters those you are directly reading from controls.

This is not recommended anyway due to SQL injection attack threat.

If you change your queries to us parameters (parameter queries), I hope this issue will be resolved.

Following is an example how to use parameters. Note that I am not using your code in example:

SqlCommand objSqlCommand = null;
strSQL = @"INSERT INTO ... (Field1, ...)
                    VALUES 
                    (@param1, ...)";
objSqlCommand = new SqlCommand(strSQL);
objSqlCommand.Parameters.Clear();
objSqlCommand.Parameters.AddWithValue("@param1", yourControl.Text);
....
....
objSqlCommand.ExecuteNonQuery();
objSqlCommand.Dispose();

You should further improve this code by including using block or proper try/catch blocks.

This way, if there is any SQL query sensitive character in your input, it will be handled correctly and issue will be resolved. This is also strongly recommended to save yourself from SQL Injection Attack.

Amit Joshi
  • 15,448
  • 21
  • 77
  • 141