How do I insert textboxes and database columns in the same query?

Question

1.00/5 (1 vote)

See more:

VS2017

C#

void add()
       {
           var docnum = SR_Yr.Text + '-' + SR_No.Text;
           string constring = "Data Source=D-HOS-MIS2;Initial Catalog=Consignment_db;Persist Security Info=True;User ID=sa;Password=t.july.01";
           string query = "insert into StockRequesitionTable (SR_DocNo,SR_ItemID) values('"+docnum+"',SRT_ID)";
           SqlConnection con_db = new SqlConnection(constring);
           SqlCommand cmd = new SqlCommand(query, con_db);
           SqlDataReader reader;

           try
           {
               con_db.Open();
               reader = cmd.ExecuteReader();
               while (reader.Read())
               {

               }
           }
           catch (Exception ex)
           {
               MessageBox.Show(ex.Message);
           }
       }

Is there any way to construct it using textboxes,datetime and or comboboxes along with database tables?

What I have tried:

I've tried to run the code stated above. It prompted for an unknown table at values. I realized I was lacking maybe a join query but I don't know how to construct it.

Posted 24-Jun-18 16:22pm

User 12225285

Updated 25-Jul-18 20:06pm

Add a Solution

Comments

CHill60 25-Jun-18 8:03am

Your question is not at all clear. Why do you think you need a join? Never use concatenated strings to create sql statements - see SQL Injection Prevention Cheat Sheet - OWASP[^]
Follow the theories on that link and it might answer your question

FranzBe 25-Jun-18 9:37am

1) "Insert Into" is not a query, so you should use cmd.ExecuteNonQuery() instead of the .ExecuteReader(). You are not reading anything from the database.

2) You should never use database user "sa" for your application. Create a user with the required permissions needed for your application and then use this user.

Richard Deeming 25-Jul-18 10:22am

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

You're also going to need to provide a value for the SR_ItemID column.

const string query = "insert into StockRequesitionTable (SR_DocNo, SR_ItemID) values(@docnum, @SRT_ID)";

using (SqlConnection con_db = new SqlConnection(constring))
using (SqlCommand cmd = new SqlCommand(query, con_db))
{
    cmd.Parameters.AddWithValue("@docnum", docnum);
    cmd.Parameters.AddWithValue("@SRT_ID", SRT_ID);
    
    con_db.Open();
    cmd.ExecuteNonQuery();
}

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Member 11621026 · Answer 1 · 2018-07-24T19:15:00

void add()
       {
           var docnum = SR_Yr.Text + '-' + SR_No.Text;
           string constring = "Data Source=D-HOS-MIS2;Initial Catalog=Consignment_db;Persist Security Info=True;User ID=sa;Password=t.july.01";
           string query = "insert into StockRequesitionTable (SR_DocNo,SR_ItemID) values('"+docnum+"',SRT_ID)";
           SqlConnection con_db = new SqlConnection(constring);
           SqlCommand cmd = new SqlCommand(query, con_db);
           

           try
           {
               con_db.Open();
               cmd.ExecuteNonQuery();
               
           }
           catch (Exception ex)
           {
               MessageBox.Show(ex.Message);
           }
       }

Member 11621026 · Answer 2 · 2018-07-25T20:07:00

Solution 2

You can pass parameter in this your query.

Posted 25-Jul-18 20:07pm

Member 11621026

Comments

CHill60 26-Jul-18 5:21am

I notice that you've had yet another downvote. To avoid this, here are a few words of advice when posting solutions:
1. Don't post multiple solutions to the same question - there is a green "Improve solution" link next to your solution that will allow you to add extra information.
2. Don't put questions, comments, requests for clarification as a solution - use the "Have a Question or Comment?" link next to the question or use the "Reply" link if the OP has posted a comment.
3. Don't just dump code into a solution - include a few words - e.g for solution 1 here you could have pointed out the difference between your code and the OP's (you still haven't)
4. Make sure you are not repeating what someone else has already said OR if you do wrap stuff up into a single solution then credit the person that made the original comment.

Many members will not take the time to help you with details such as these and will just downvote your solutions regardless. It can be very disheartening but please don't let it stop you from trying to help ... just apply a little more thought to how you are presenting your solutions. Good luck

How do I insert textboxes and database columns in the same query?

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0

Existing Members

...or Join us