C# winform : add value to database access

Question

0.00/5 (No votes)

See more:

is there any solution beside this code that we can implement to add value in database ? that are more secure than this code below.

What I have tried:

OleDbCommand cmd = con.CreateCommand();    
    con.Open();    
    cmd.CommandText = "Insert into Student(FirstName,LastName)Values('" + textBox1.Text + "','" + textBox2.Text + "')";    
    cmd.Connection = con;    
    cmd.ExecuteNonQuery();    
    MessageBox.Show("Record Submitted","Congrats");    
    con.Close();

Posted 30-Jul-17 19:49pm

Asyraf Patt

Updated 30-Jul-17 20:09pm

Add a Solution

3 solutions

Solution 1

First of all NEVER use string concatenation to create you query. Certain user input can harm you very badly... xkcd: Exploits of a Mom[^]
It is not clear from your code, but if you do not, than add username and password to your connection...

Posted 30-Jul-17 20:04pm

Kornfeld Eliyahu Peter

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Thomas Daniels · Accepted Answer · 2017-07-30T20:07:00

Yes: instead of string concatenation, use parameterized queries:

C#

OleDbCommand cmd = new OleDbCommand("Insert into Student(FirstName,LastName)Values(@FirstName,@LastName)", con);
cmd.Parameters.AddWithValue("@FirstName", textBox1.Text);
cmd.Parameters.AddWithValue("@LastName", textBox2.Text);

The advantages of this:

It's easier to read: there are less quotes to be confused about, so it's harder to have a syntax error here.
Your original code has an SQL injection[^] vulnerability, which is closed by using parameterized queries.

OriginalGriff · Accepted Answer · 2017-07-30T20:09:00

Do not do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

You should also use a try ... catch block around your DB code, and either a finally block to close and dispose the Command and Connection objects, or using blocks to do that automatically.

C# winform : add value to database access

3 solutions

Solution 2

Solution 3

Solution 1

Add your solution here

Preview 0