Don't do it like that!
Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
And there's no need to manipulate the string like that before parsing the date. Just use the correct format in
ParseExact
:
DateTime date = DateTime.ParseExact(edData.Text, "dd/MM/yyyy", System.Globalization.CultureInfo.InvariantCulture);
const string Query = "UPDATE tb_spese SET id_codice = @idCodice, data = @date, entrata = @entrata";
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(Query, connection))
{
command.Parameters.AddWithValue("@idCodice", idCodice);
command.Parameters.AddWithValue("@date", date);
command.Parameters.AddWithValue("@entrata", entrata);
connection.Open();
command.ExecuteNonQuery();
}
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]