Always use
SQLParameters
to pass values to the sql statement, dont concatenate the strings. It will lead to
SQL Injection[
^]
con.Open();
string query = "insert into staff_doc values (@value1,@value2,@value3,@value4,@value5,@value6,@value7,@value8,@value9,@value10,@value11,@value12)";
cmd = new SqlCommand(query, con);
cmd.Parameters.Add("@value1", textBox1.Text);
cmd.Parameters.Add("@value2", textBox2.Text);
cmd.Parameters.Add("@value3", textBox3.Text);
cmd.Parameters.Add("@value4", textBox4.Text);
cmd.Parameters.Add("@value5", comboBox1.Text);
cmd.Parameters.Add("@value6", comboBox2.Text);
cmd.Parameters.Add("@value7", comboBox3.Text);
cmd.Parameters.Add("@value8", textBox5.Text);
cmd.Parameters.Add("@value9", textBox6.Text);
cmd.Parameters.Add("@value10", textBox7.Text);
cmd.Parameters.Add("@value11", textBox8.Text);
cmd.Parameters.Add("@value12", textBox9.Text);