Below is the code I am working with to try to insert data into my 'ArticlesTBL' table. I also want to upload an image file to my computer.
I am getting an error reading: Incorrect syntax near 'UploadedUserFiles'.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
using System.Data;
using System.Data.SqlClient;
using System.Web.Configuration;
public partial class _CopyOfSubmitArticle : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void uploadbutton_Click(object sender, EventArgs e)
{ string UpPath = Server.MapPath("~/UploadedUserFiles"); int imgSize = FileUpload1.PostedFile.ContentLength; string imgName = FileUpload1.FileName; string imgPath = "UploadedUserFiles/" + imgName; if (FileUpload1.PostedFile.ContentLength > 1000000) { Page.ClientScript.RegisterClientScriptBlock(typeof(Page), "Alert", "alert('File is too big')", true); } else { FileUpload1.SaveAs(Server.MapPath(imgPath)); myinfo.Text = "file" + imgPath + "uploaded."; } String connectionString = WebConfigurationManager.ConnectionStrings["ConnectAntiFrack"].ConnectionString; SqlConnection myConnection = new SqlConnection(connectionString); myConnection.Open(); string ArticleImg = "UploadedUserFiles/" + FileUpload1.FileName; string ArticleTitle = ArticleTitleTextBox.Text; string ArticleContent = ArticleContentTextBox.Text; string ArticleType = ArticleTypeDropdown.Text.ToString(); string ArticleAuthor = ArticleAuthorTextBox.Text.ToString(); string ArticleBrief = ArticleBriefTextBox.Text; string ArticleDateTime = DateTime.Now.ToShortTimeString(); string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief, ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews) VALUES (" + ArticleTitle +", " + ArticleContent +", "+ ArticleType +" " + ArticleImg +", "+ ArticleBrief +"," + ArticleDateTime + ", "+ ArticleAuthor +",'False', 'False', '0')"; SqlCommand myCommand = new SqlCommand(query, myConnection); myCommand.ExecuteNonQuery(); // myinfo.Text = "connection to db is made"; myConnection.Close();
} 2 2 Answers
You should use parameters in your query to prevent attacks, like if someone entered '); drop table ArticlesTBL;--' as one of the values.
string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief, ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews)";
query += " VALUES (@ArticleTitle, @ArticleContent, @ArticleType, @ArticleImg, @ArticleBrief, @ArticleDateTime, @ArticleAuthor, @ArticlePublished, @ArticleHomeDisplay, @ArticleViews)";
SqlCommand myCommand = new SqlCommand(query, myConnection);
myCommand.Parameters.AddWithValue("@ArticleTitle", ArticleTitleTextBox.Text);
myCommand.Parameters.AddWithValue("@ArticleContent", ArticleContentTextBox.Text);
// ... other parameters
myCommand.ExecuteNonQuery();using System;
using System.Data;
using System.Data.SqlClient;
namespace InsertingData
{ class sqlinsertdata { static void Main(string[] args) { try { SqlConnection conn = new SqlConnection("Data source=USER-PC; Database=Emp123;User Id=sa;Password=sa123"); conn.Open(); SqlCommand cmd = new SqlCommand("insert into <Table Name>values(1,'nagendra',10000);",conn); cmd.ExecuteNonQuery(); Console.WriteLine("Inserting Data Successfully"); conn.Close(); } catch(Exception e) { Console.WriteLine("Exception Occre while creating table:" + e.Message + "\t" + e.GetType()); } Console.ReadKey(); } }
}