Formatting the sql Query string is
vulnerable to
SQL Injection[
^] attacks
always use
Parameterized queries to prevent SQL Injection Attacks in SQL Server[
^]
cmd = New SqlClient.SqlCommand("insert into TBLSubScriptions (Name,PhoneNo,Weight,Length,TimeClass,subscriptionStart,subscriptionEnd)values (@Name,@PhoneNo,@Weight,@Length,@TimeClass,@subscriptionStart,@subscriptionEnd)")
cmd.Parameters.AddWithValue("@Name", txtName.Text)
cmd.Parameters.AddWithValue("@PhoneNo", txtphone.Text)
cmd.Parameters.AddWithValue("@Weight", txtwigh.Text)
cmd.Parameters.AddWithValue("@Length", txtLength.Text)
cmd.Parameters.AddWithValue("@TimeClass", comoTimecl.Text)
cmd.Parameters.AddWithValue("@subscriptionStart", txtDatest.Value.Date)
cmd.Parameters.AddWithValue("@subscriptionEnd", txtenddate.Value.Date)