Click here to Skip to main content
15,888,351 members
Search within:


Ho do I insert XML into SQL server table
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
SQL
ADO.NET
C#3.5
i have an XML and i want to insert that XML into sql server table through inline query

What I have tried:

SQL
strQuery = "insert into tblTransaction (DeliveryNo,Date,AccountNo,Carrier,Service,Status,Manifest,ManifestDate,MasterTracking,Tracking,xmlData) values('" + resxml.GetElementsByTagName("ShipmentID")(0).InnerText + "','" + mxml.GetElementsByTagName("ShipDate")(0).InnerText + "','" + mxml.GetElementsByTagName("AccountNumber")(0).InnerText + "','" + mxml.GetElementsByTagName("Carrier")(0).InnerText + "','" + mxml.GetElementsByTagName("ServiceType")(0).InnerText + "','" + mxml.GetElementsByTagName("Action")(0).InnerText + "','','','" + resxml.GetElementsByTagName("MasterTracking")(0).InnerText + "','" + myxmllist(0).SelectSingleNode("TrackingNumber").InnerText + "','" + mxml.InnerXml + "')"


in xmlData data column i have to insert xml data
Posted
Updated 18-Dec-17 12:56pm
v2
Add a Solution
Comments
PIEBALDconsult 17-Dec-17 13:04pm    
First, learn to use parameterized statements -- they make everything easier.
And if you provide a sample snippet of XML I could probably show you how to amaze your friends -- you're working too hard.

2 solutions

Start by fixing the SQL Injection[^] vulnerability in your code:
C#
const string Query = "INSERT INTO tblTransaction (DeliveryNo, Date, AccountNo, Carrier, Service, Status, Manifest, ManifestDate, MasterTracking, Tracking, xmlData) VALUES (@DeliveryNo, @Date, @AccountNo, @Carrier, @Service, @Status, @Manifest, @ManifestDate, @MasterTracking, @Tracking, @xmlData)";

using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(Query, connection))
{
    command.Parameters.AddWithValue("@DeliveryNo", resxml.GetElementsByTagName("ShipmentID")(0).InnerText);
    command.Parameters.AddWithValue("@Date", mxml.GetElementsByTagName("ShipDate")(0).InnerText);
    command.Parameters.AddWithValue("@AccountNo", mxml.GetElementsByTagName("AccountNumber")(0).InnerText);
    command.Parameters.AddWithValue("@Carrier", mxml.GetElementsByTagName("Carrier")(0).InnerText);
    command.Parameters.AddWithValue("@Service", mxml.GetElementsByTagName("ServiceType")(0).InnerText);
    command.Parameters.AddWithValue("@Status", mxml.GetElementsByTagName("Action")(0).InnerText);
    
    // TODO: Provide the correct value for these two columns:
    command.Parameters.AddWithValue("@Manifest", ???);
    command.Parameters.AddWithValue("@ManifestDate", ???);
    
    command.Parameters.AddWithValue("@MasterTracking", resxml.GetElementsByTagName("MasterTracking")(0).InnerText);
    command.Parameters.AddWithValue("@Tracking", myxmllist(0).SelectSingleNode("TrackingNumber").InnerText);
    command.Parameters.AddWithValue("@xmlData", mxml.InnerXml);
    
    connection.Open();
    command.ExecuteNonQuery();
}

Now it's obvious that you're missing the value for two columns - Manifest and ManifestDate. Pass the correct value to those two parameters, and you should be good to go.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 
Posted
C#
strQuery = "insert into tblTransaction (DeliveryNo,Date,AccountNo,Carrier,Service,Status,Manifest,ManifestDate,MasterTracking,Tracking,xmlData) values('" + resxml.GetElementsByTagName("ShipmentID")(0).InnerText + "','" + mxml.GetElementsByTagName("ShipDate")(0).InnerText + "','" + mxml.GetElementsByTagName("AccountNumber")(0).InnerText + "','" + mxml.GetElementsByTagName("Carrier")(0).InnerText + "','" + mxml.GetElementsByTagName("ServiceType")(0).InnerText + "','" + mxml.GetElementsByTagName("Action")(0).InnerText + "','','','" + resxml.GetElementsByTagName("MasterTracking")(0).InnerText + "','" + myxmllist(0).SelectSingleNode("TrackingNumber").InnerText + "','" + mxml.InnerXml + "')"

Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
Quote:
Ho do I insert XML into SQL server table

Once you use parameters, you insert XML strings exactly like any other strings, the contain do not matters.
 
Share this answer
 
Posted
Updated 18-Dec-17 14:17pm
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Ho to connect Microsoft access 2021 to a SQL server and create linked tables, using VBA.
inserting xml to sql server
How to insert this table columns and rows in SQL server with ASP.NET
Inserting xml data into sql server Table
Insert the Xml Values in Sql Table
how to insert data from xml document into sql server table?
Cannot insert XML value into SQL server
insert xml file in sql table
I have created on XML file and I want to insert xml file in to sql table.
Batch inserts into SQL server table

Advertise
Privacy
Cookies
Terms of Use
Last Updated 18 Dec 2017
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900