Have you ever heard of
SQL Injection, which has been one of the top 10 application vulnerabilities for over 20 years? Your code is susceptible to it; you should
NEVER EVER
create a query by concatenating SQL commands with user input.
The proper way to put user input into an SQL Query is to use
Parameters[
^]. In the .NET Framework it is a collection that is one of the properties of the command element.
Besides eliminating the security risks, it also takes care of the data-types so that you will not need to wrap text in single quotes etc. The code also looks a lot cleaner.
This is what your code could look like when implementing this
Con.ConnectionString="DataSouce=.... Security=True"
Con.Open()
Cmd= new SqlCommand("Insert into table values (@T1, @T2, @T3, @T4, @CB1) ", con)
Cmd.Parameters.AddWithValue("@T1", Text1.Text)
Cmd.Parameters.AddWithValue("@T2", Text2.Text)
Cmd.Parameters.AddWithValue("@T3", Text3.Text)
Cmd.Parameters.AddWithValue("@T4", Text4.Text)
Cmd.Parameters.AddWithValue("@CB1", CheckBoxList.Text)
Cmd.ExecuteNonQuery()
Con.Close()
Reference:
MS Docs : SqlParameterCollection.AddWithValue(String, Object) Method[
^]
Now onto your issue.... You really weren't clear in the question and did not provide sample input and desired results, so I can only assume that you want to have one row entered for each checkbox that is checked.
If you are using a newer version of SQL Server, there is a table function called
STRING_SPLIT()[
^] which will return a table, splitting delineated values into rows
If your
CheckBox is returning a comma-delineated list, you can simple replace your
INSERT
command with this line of T-SQL
INSERT into Table
SELECT @T1, @T2, @T3, @T4, value
FROM STRING_SPLIT(@CB1, ',')
Reference:
MS Docs: STRING_SPLIT (Transact-SQL)[
^]