0

I have a component in c# and I write the following code: 

string SearchString = " and StartDate Between '" 
    + string.Format("{0:yyyy/MM/dd}", Convert.ToDateTime(calender_az.Text)) 
    + "' And '" + string.Format("{0:yyyy/MM/dd}", Convert.ToDateTime(calender_ta.Text)) 
    + "'";

and it works but it has error like this:

string was not recognized as a valid date time? calender_az is date picker

what should I do?

kimia
  • 11
  • 5
  • Your where filter would translate into `and StartDate Between 2010/01/01 and 2010/12/31` but notice it would not contain datetime delimiters. – Cleptus Jul 22 '19 at 08:06
  • Look at the debugger what are the values: ```calender_az.Text```, ```calender_az.Text``` and check whether they are correct DateTime format – Tim Jul 22 '19 at 08:06
  • 3
    What you really should do, if this produces a query that goes to the database, is 1) use parameters, avoiding both formatting issues and SQL injection at the same time and 2) use `>=` and `<`, not `BETWEEN`, which is an inclusive range and can easily miss rows that are right on the edge. – Jeroen Mostert Jul 22 '19 at 08:10
  • You a forcing a specific culture using Convert.ToDateTime, perhaps you should consider `DateTime.ParseExact` instead, check [DateTime.Parse vs Convert.ToDateTime](https://stackoverflow.com/questions/8192520/any-difference-between-datetime-parse-and-convert-todatetime) – Cleptus Jul 22 '19 at 08:11
  • This error is only relative to `Convert.ToDateTime`(not `string.Format` and not SQL where). You may need to check the user input before converting to date time (text can be empty or a non-valid date format). – Grégory Bourgin Jul 22 '19 at 08:13
  • If calender_az is a DateTimePicker or another control that can only have dates there would be no SQLi @JeroenMostert otherwise your warning is good – Cleptus Jul 22 '19 at 08:13
  • calender_az is date picker – kimia Jul 22 '19 at 08:29
  • @bradbury9 is this a web app or desktop app? Cause for web apps date picker or not, anything can be submitted. And even if this is a desktop app, using parameters for SQL queries is always a better way to write your queries. – trailmax Jul 22 '19 at 09:56
  • @trailmax not enough info to know in the question. Thats why I said "DateTimePicker or another control that can only have dates". If there would be aspnet related tags I would +1 on the SQLi – Cleptus Jul 22 '19 at 11:26
  • `calendar_az` is a `DatePicker`. Why convert it's text to a `DateTime` when you can just access the `SelectedDate` property? `string.Format("{0:yyyy/MM/dd}", calender_az.SelectedDate)` – Chris Dunaway Jul 22 '19 at 16:02

1 Answers1

0

Try this

DateTime AZ = DateTime.ParseExact(calender_az.ToString(), "yyyy-MM-dd", CultureInfo.InvariantCulture, DateTimeStyles.None);
Syafiqur__
  • 531
  • 7
  • 15
  • `calendar_az` is a DatePicker. Why convert it's text to a `DateTime` when you can just access the `SelectedDate` property? There is not need for calling `ParseExact`. – Chris Dunaway Jul 22 '19 at 16:00
  • because I use Persian picker and SQL can't support Persian date and a I had to got varchar in SQL and it is text. – kimia Jul 26 '19 at 06:43