saving date to sql database from winform using c#

Question

I am working on winforms using c# where I have a class User having datetime dob variable whose value is inserted into database (type of database column is date).

the function in user class is :

        {
            string format = "yyyy-MM-dd";

            if (mail.IsMatch(id) && password.Length >= 8 && password == confrmpass)
            {
                con.Open();
                cmd = new SqlCommand($"insert into UserInfo (Username,Password,[Full Name],Email,Address,[Date of birth]) values ('{username}','{password}','{name}','{id}','{address}','{dob.ToString(format)}'", con);                    
                cmd.ExecuteNonQuery();
            }
        }

next this class object is made in Form:

User user1 = new User();
  user1.register(textname.Text.ToString(),textemail.Text,textaddress.Text,textuser.Text,textpassword.Text,textconfirmpass.Text,metroDateTime1.Value.Date);

where the date is passed by using the datetimepicker.

Now I am having error

'Incorrect syntax near '2020-08-31'.'

why I am having error when the sql date format is same. How can I solve this.

The first thing you need to do is [use parameters](https://stackoverflow.com/questions/7505808/). Then you need to learn why [that's not how to store passwords](https://security.stackexchange.com/questions/120540/). — Dour High Arch, Aug 31 '20 at 16:17

score -2 · Answer 1 · answered Aug 31 '20 at 16:15

-2

You forgot to close your values opening ( with ) after DOB, edit below.

{
        string format = "yyyy-MM-dd";

        if (mail.IsMatch(id) && password.Length >= 8 && password == confrmpass)
        {
            con.Open();
            cmd = new SqlCommand($"insert into UserInfo (Username,Password,[Full Name],Email,Address,[Date of birth]) values ('{username}','{password}','{name}','{id}','{address}','{dob.ToString(format)}')", con);                    
            cmd.ExecuteNonQuery();
        }
}

answered Aug 31 '20 at 16:15

borrelito

15
3

3

I just want to note that while this fixes the issue as posted, it's not a good solution. Everyone needs to be parameterizing their SQL. – Code Stranger Aug 31 '20 at 16:21
Thank you so much, I made such a silly mistake and was wondering what's wrong from hours. Thanks a lot – MARIA PASHA Aug 31 '20 at 16:22
1

[Little Bobby Tables](https://xkcd.com/327/) – Broots Waymb Aug 31 '20 at 16:22
3

@Maria please please do not use code like this; it allows anyone to totally take over your database, it leaks passwords, it breaks on different date localisations. There are too many problems with this code; please read the links we have posted. – Dour High Arch Aug 31 '20 at 16:25
Something like the approach of https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection should be followed. – borrelito Aug 31 '20 at 16:26
2

@borrelito - You can use `SqlCommand` and parameterize. They aren't mutually exclusive by any means. In fact, that's exactly how it's done in the linked duplicate. – Broots Waymb Aug 31 '20 at 16:27
@BrootsWaymb i wrote something my head wanted then it turned out to somethinng different :D I edited my comment – borrelito Aug 31 '20 at 16:31
Ok thank you all, I am actually learning and its my very first time using database and winforms so I don't have much knowledge but surely I am use this information from now on. Thanks a lot – MARIA PASHA Aug 31 '20 at 16:31

saving date to sql database from winform using c#

1 Answers1