This has been already partially answered, but I'd like to add a few points:
- As already said, you don't need to use
ToString
for a literal
... ,"NOT AVAILABLE")'
should be sufficient, although this could also be added as a default in the database if the value is always the same in the insert.
- More important than that is that never ever concatenate the input from the user as literal to the SQL statement. The only correct way is to use parameters in order to be safe from SQL injection and help with type conversions etc.
- Third thing is the usage of dispose or using. You should always dispose the disposable objects. I feel that the easiest way is to use using statements instead of calling the Dispose method. For example in your code you do not dispose the
SqlCommand
.
- Dates, never store the dates in any other format than in a date column. When using proper data types in the database it's easy to query, modify, calculate with the data. So instead of converting the date into a string, use a parameter and store
DateTime.Now
into it as-is.
-
Dept_Id
, not sure if this is the key and how it's supposed to be handled, but if this column is intended to be the actual primary key for the table, you probably should let the database to decide the value for it in order to prevent duplicates. If needed, have a look at
IDENTITY
columns for example
- The insert statement is executed by calling
ExecuteReader
. However, as this is an insert statement, nothing is expected to be returned from the database. A commonn practice is to use
ExecuteNonQuery
If you have time, I'd suggest going through
Properly executing database operations[
^] . It explains the fundamentals for executing commands from different point of views.