Object reference not set to an instance of an object. Please help me

Question

1.00/5 (1 vote)

See more:

I am Create User define Methode in asp.net in C#
i am geting error:Object reference not set to an instance of an object.
error dialog show here-

String query = "insert into saveCart(sno,BkName,BkLanguage,BkStd,BkQty,BkPrice,TotalPrice) values(" + sno + ",'" + Session["Name"].ToString() + "','" + BkName + "','" + BkLanguage + "','" + BkStd + "','" + BkQty + "','" + BkPrice + "','" + TotalPrice + "')";

My Database Table is

sno    int Checked
Name   nvarchar(10)    Checked
BkName nvarchar(100)   Unchecked
BkLanguage nvarchar(100)   Checked
BkStd  nvarchar(100)   Checked
BkQty  nvarchar(100)   Checked
BkPrice    nvarchar(100)   Checked
TotalPrice nchar(10)   Checked
       Unchecked

What I have tried:

private void saveCart(int sno,  String BkName, String BkLanguage, String BkStd, String BkQty,String BkPrice, String TotalPrice)
      {
          String query = "insert into saveCart(sno,BkName,BkLanguage,BkStd,BkQty,BkPrice,TotalPrice) values(" + sno + ",'" + Session["Name"].ToString() + "','" + BkName + "','" + BkLanguage + "','" + BkStd + "','" + BkQty + "','" + BkPrice + "','" + TotalPrice + "')";
          String mycon = "Data Source=HOME-PC\\SQLEXPRESS;Initial Catalog=NoveltySystem;Integrated Security=True;Pooling=False";
          SqlConnection con = new SqlConnection(mycon);
          con.Open();
          SqlCommand cmd = new SqlCommand();
          cmd.CommandText = query;
          cmd.Connection = con;
          cmd.ExecuteNonQuery();
      }

Posted 28-Jan-19 6:41am

Member 14083059

Updated 1-Feb-19 0:57am

Add a Solution

Comments

Richard Deeming 28-Jan-19 12:45pm

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 28-Jan-19 12:46pm

The most likely cause of the exception is that Session["Name"] is null. Debug your code to find out why.

Member 14083059 31-Jan-19 2:55am

the error shows again an again here-String query = "insert into saveCart(sno,BkName,BkLanguage,BkStd,BkQty,BkPrice,TotalPrice) values(" + sno + ",'" + Session["Name"].ToString() + "','" + BkName + "','" + BkLanguage + "','" + BkStd + "','" + BkQty + "','" + BkPrice + "','" + TotalPrice + "')";

it shows the "Object reference not set to an instance of an objec"

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

RickZeeland · Answer 1 · 2019-01-28T06:51:00

Solution 1

You have too much fields for BkName, remove:

Session["Name"].ToString()

or add the Name field.

Also it is better to use parameterized queries to avoid the risk of SQL injection.

Posted 28-Jan-19 6:51am

RickZeeland

Updated 28-Jan-19 6:54am

v2

Richard Deeming · Answer 2 · 2019-02-01T00:57:00

To fix the SQL Injection vulnerability:

C#

private void saveCart(int sno,  String BkName, String BkLanguage, String BkStd, String BkQty,String BkPrice, String TotalPrice)
{
    // TODO: Load this from your config file:
    const string mycon = "Data Source=HOME-PC\\SQLEXPRESS;Initial Catalog=NoveltySystem;Integrated Security=True;Pooling=False";
    
    const string query = "insert into saveCart (sno, BkName, BkLanguage, BkStd, BkQty, BkPrice, TotalPrice) values (@sno, @BkName, @BkLanguage, @BkStd, @BkQty, @BkPrice, @TotalPrice)";
    
    using (SqlConnection con = new SqlConnection(mycon))
    using (SqlCommand cmd = new SqlCommand(query, con))
    {
        cmd.Parameters.AddWithValue("@sno", sno);
        cmd.Parameters.AddWithValue("@BkName", BkName);
        cmd.Parameters.AddWithValue("@BkLanguage", BkLanguage);
        cmd.Parameters.AddWithValue("@BkStd", BkStd);
        cmd.Parameters.AddWithValue("@BkQty", BkQty);
        cmd.Parameters.AddWithValue("@BkPrice", BkPrice);
        cmd.Parameters.AddWithValue("@TotalPrice", TotalPrice);
        
        // TODO: Which column are you inserting Session["Name"] into?
        
        con.Open();
        cmd.ExecuteNonQuery();
    }
}

It then becomes obvious that you're specifying more values in the VALUES clause than columns in the INSERT INTO clause - as already mentioned in Solution #1.

You also need to wrap your connection and command objects in using blocks, so that they are cleaned up properly. With your current code, you will eventually run out of connections, and start getting errors when you try to open a new connection.
using statement - C# Reference | Microsoft Docs[^]

You should also look at loading your connection string from your application's configuration file, rather than hard-coding it throughout your code.
Connection Strings and Configuration Files | Microsoft Docs[^]

Prasad Nikumbh · Answer 3 · 2019-01-28T20:27:00

Solution 2

your query is as below:->

 String query = "insert into saveCart(sno,BkName,BkLanguage,BkStd,BkQty,BkPrice,TotalPrice) values(" + sno + ",'" + Session["Name"].ToString() + "','" + BkName + "','" + BkLanguage + "','" + BkStd + "','" + BkQty + "','" + BkPrice + "','" + TotalPrice + "')";

Remove :->  Session["Name"].ToString() 

your query should be like below:->

 String query = "insert into saveCart(sno,BkName,BkLanguage,BkStd,BkQty,BkPrice,TotalPrice) values('" + sno + "','" + BkName + "','" + BkLanguage + "','" + BkStd + "','" + BkQty + "','" + BkPrice + "','" + TotalPrice + "')";


But i think the error is due to Session["Name"] having null value.
It is always better to use Convert.toString(Session["Name"]) instead of Session["Name"].toString().

Posted 28-Jan-19 20:27pm

Prasad Nikumbh

Comments

Richard Deeming 29-Jan-19 16:01pm

That code is still vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Member 14083059 31-Jan-19 2:54am

sir can you give some example

Prasad Nikumbh 30-Jan-19 5:33am

Yes I know abt SQL injection.But if the project is old one.sometimes in old project they might have use this everywhere.so i have provided this solution.
But paramterized you can use.Its better way.you have to change it in eveywhere where u have used sql queries.
And the another thing i have just provided the root cause of the issue.

Member 14083059 31-Jan-19 2:53am

thank you for giving your sloution. because i used session["Name"] i want store data session wise user login.

Richard Deeming 1-Feb-19 6:45am

Not fixing a critical security vulnerability because it would be too much work is not a good excuse.