Don't save the info if there's a null form in c# sqlClient

Question

I'm making our system for thesis, and i'm trying to save a account of the users. My condition is, if there's a empty form, the account will not be saved and it will display a message box. I tried to put it in a if element, that "If aForm.Text.Trim() != null" the info/account will be saved into database. But when i tried to leave a empty form and click save it still be saved in the database.

Here's the code * ALL OF THE COLUMNS IN SQL IS SET TO "NOT NULL"

private void aAddUserSave_Click(object sender, EventArgs e)
    {
        // it will save the data if all of the forms is not == to null
        // or empty spaces
        // and before the info will be saved
        // the confirm password should be == to the password

        if (aAddUserFirstName.Text.Trim() != null && aAddUserLastName.Text.Trim() != null && aAddUserAddress.Text.Trim() != null && aAddUserContact.Text.Trim() != null && aAddUserPass.Text.Trim() != null &&
            aAddUserPassConfirm.Text.Trim() != null && aAddUserForgotAnswer.Text.Trim() != null && aAddUserPassConfirm.Text == aAddUserPass.Text)
        {
            // location and the command for the database
            string connectionString = @"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\makoy2017\Documents\My files\School Files\Veron System\System Files\DO NOT DELETE\veronServer.mdf;Integrated Security=True;Connect Timeout=30";
            string query = "INSERT INTO usersAccount (firstName, lastName, address, contactNo, position, password, forgotAnswer) values('" + this.aAddUserFirstName.Text + "', '" + this.aAddUserLastName.Text + "', '" + this.aAddUserAddress.Text +
                "', '" + this.aAddUserContact.Text + "', '" + this.aAddUserPosition.SelectedIndex + "', '" + this.aAddUserPass.Text + "', '" + this.aAddUserForgotAnswer.Text + "');";

            // connecting to the database
            SqlConnection sqlConnection = new SqlConnection(connectionString);
            SqlCommand sqlCommand = new SqlCommand(query, sqlConnection);
            SqlDataReader sqlDataReader;

            // try and catch for the saving and reading of the data
            // so if there's a error the system will not close
            // and show the message error
            try
            {
                // open the database connectiont to the system
                sqlConnection.Open();

                // execute the sql command for the sql reader
                sqlDataReader = sqlCommand.ExecuteReader();

                // read all of the data
                while (sqlDataReader.Read())
                {

                }

                // show user saved
                // when the data is saved successfully!
                MessageBox.Show("User Saved!");

            }
            catch (Exception ex)
            {
                // this will show the message box
                // what is the error of the data
                // the data will not be saved in the database
                MessageBox.Show(ex.Message);
            }
        }
        else {
            MessageBox.Show("Please check your confirm/password!");
        }
    }

Please help. Make the code simple because i'm still a beginner . Thank you in advance :)

Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) — mjwills, Aug 24 '18 at 13:19

score 5 · Accepted Answer · answered Aug 24 '18 at 12:53

null and "an empty string" are not the same thing. There's a handy helper method to assist with the conditional checks though. So instead of this:

if (aAddUserFirstName.Text.Trim() != null)

You can do something like this:

if (!string.IsNullOrWhiteSpace(aAddUserFirstName.Text))

This will ensure that the string is not:

null
an empty string (length 0)
a non-empty string containing only whitespace characters (what you were doing with .Trim())

IMPORTANT: There are other problems with your code. Primarily, you are wide open to SQL Injection. What this means is that your code is blindly executing any SQL code your users feel like sending it. Do not directly concatenate user-modifiable values with your SQL code. Instead, use query parameters and treat user input as values instead of as code.

Additionally, you don't need to use ExecuteReader and read data when you're not actually reading any data. You're executing an INSERT statement, not a SELECT. Use ExecuteNonQuery instead.

what if I need to check 5 forms ? I'm trying to do this " if (!string.IsNullOrWhiteSpace(aAddUserFirstName.Text, aAddUserLastName.Text)) " but it won't let me — MoZenLen, Aug 24 '18 at 13:06
@MoZenLen: You can use the `&&` operator to combine multiple conditions into a single statement. For example: `if (!string.IsNullOrWhiteSpace(aAddUserFirstName.Text) && !string.IsNullOrWhiteSpace(aAddUserLastName.Text))` Just like you already do in your code now. — David, Aug 24 '18 at 13:07
I works ! Thank you so much ! and also I change and deleted all the codes I don't needed and it helps me a lot. :) — MoZenLen, Aug 24 '18 at 13:25

Don't save the info if there's a null form in c# sqlClient

1 Answers1