0

I am making a C# client-server application for my college class. I have an MS Access database with a table Package, it has some values like 'name', 'dateFrom', 'dateTo', and 2 values called 'internet' and 'telephone' which are YES/NO type

In the program I made a class Package and set internet and telephone as bool type of data. Firstly, is this correct? If value is set as YES/NO in MS Access, am I supposed to set it as bool in C#? this seems logical to me..

Secondly, when I enter SQL command for inserting these values I get an error, I don't know how to send bool values to database

Here is my code

command.CommandText = "Insert into Package values ("+p.PackageID+", '"+ p.Name+"', '"+p.DateFrom.ToString()+"', '"+p.DateTo.ToString()+"', "+Convert.ToBoolean(p.Internet.ToString())+", "+Convert.ToBoolean(p.Telephone.ToString())+")";
command.ExecuteNonQuery();

I tried a lot of things, and this was my last attempt of converting values to be able to insert them.. but it doesn't work.. I always get System.InvalidOperationException

theduck
  • 2,589
  • 13
  • 17
  • 23
Isidora Jovanovic
  • 9
  • 1
  • 7
    Please do not use string concatenation for creating SQL commands. Use parameterized statements to pass values in. Your program is at risk for SQL Injection Attacks. – gunr2171 Nov 18 '19 at 15:21
  • 6
    Oh my goodness, [sanitize your inputs](https://bobby-tables.com/) – LittleBobbyTables - Au Revoir Nov 18 '19 at 15:22
  • Even if you are just learning, do not shortcut on parameters. You should learn the correct way to do it and avoid the bad habit all together. Check out - [https://www.dotnetperls.com/sqlparameter] Welcome to stackoverflow! – tomg Nov 18 '19 at 15:31
  • 2
    https://stackoverflow.com/questions/21073357/how-to-insert-bool-into-database – xdtTransform Nov 18 '19 at 15:35
  • What is the value of "p.Internet.ToString()" and "p.Telephone.ToString()"? Is it Yes/No or True/False? – Azhar Khorasany Nov 18 '19 at 15:45

1 Answers1

3

For various reasons, you SHOULD NOT USE string concatenation on SQL statements. Use parameters. Try like:

command.CommandText = "Insert into Package values (@param1,@param2@param3,@param4,@param5,@param6)";
command.Parameters.Add("@param1",  OleDbType.Integer).Value = p.PackageID;
command.Parameters.Add("@param2",  OleDbType.VarWChar).Value = p.Name;
command.Parameters.Add("@param3",  OleDbType.Date).Value = p.DateFrom;
command.Parameters.Add("@param4",  OleDbType.Date).Value = p.DateTo;
command.Parameters.Add("@param5",  OleDbType.Boolean).Value = bool.Parse(p.Internet.ToString());
command.Parameters.Add("@param6",  OleDbType.Boolean).Value = bool.Parse(p.Telephone.ToString());
command.ExecuteNonQuery();
Martin
  • 16,093
  • 1
  • 29
  • 48
apomene
  • 14,282
  • 9
  • 46
  • 72