insert data into access database using c# not working -
i trying add data access database, far have.
try { connection.open(); string datainsert = "insert clientst (firstname, lastname, address, email, phone, cellphone, notes) values('" + boxaddname.text.tostring() + "', '" + boxaddlastname.text + "', '" + boxaddadress.text + "', '" + boxaddemail.text + "', '" + boxaddphone + "', '" + boxaddcellphone + "','" + boxaddobs.text + "')"; oledbcommand command = new oledbcommand(datainsert, connection); command.executenonquery(); connection.close(); messagebox.show("client added,"); } catch(exception ex){ messagebox.show("error :" + ex); } }
it does't give me king of error menssage, code executes fine nothing added database.
please note farly new c# , it's first time working databases.
now hang on minute there!
you introducing potentially disastrous security hole. let me show why:
string datainsert = "insert clientst (firstname, lastname, address, email, phone, cellphone, notes) values('" + boxaddname.text.tostring() + "', '" + boxaddlastname.text + "', '" + boxaddadress.text + "', '" + boxaddemail.text + "', '" + boxaddphone + "', '" + boxaddcellphone + "','" + boxaddobs.text + "')";
in particular these lines:
boxaddname.text.tostring() // you're converting string string, redundant. :p missing semicolon here. boxaddlastname.text boxaddadress.text boxaddemail.text boxaddphone // not security problem, you're inserting textbox control, not it's text. boxaddcellphone // same above. boxaddobs.text
what you're doing allowing user put anything want database. this, user can insert whatever want, or use sql injection
exploit. should sanitize input.
you this:
string query = "insert clientst (firstname, lastname, address, email, phone, cellphone, notes) values(@firstname, @lastname, @address, @email, @phone, @cellphone, @notes)"; using (sqlconnection connection = new sqlconnection(connectionstring)) using (sqlcommand cmd = new sqlcommand(query)) { connection.open(); // please make sure edit sqldbtype correct sql data type. varchar default in example. it's on fix that. cmd.parameters.add("@firstname", sqldbtype.varchar) = boxaddname.text; cmd.parameters.add("@lastname", sqldbtype.varchar) = boxaddlastname.text; cmd.parameters.add("@address", sqldbtype.varchar) = boxaddaddress.text; cmd.parameters.add("@email", sqldbtype.varchar) = boxaddemail.text; cmd.parameters.add("@phone", sqldbtype.varchar) = boxaddphone.text; cmd.parameters.add("@cellphone", sqldbtype.varchar) boxaddcellphone.text; cmd.parameters.add("@notes", sqldbtype.varchar) = boxaddnotes.text; // insert writing code here. }
your problem this:
you're trying insert textbox
control on multiple occasions. @ boxaddphone
, , boxaddcellphone
: need use textboxname.text
, not textboxname
. it's going throw exception, , since you're catching exceptions, won't know went wrong. anything.
finally, you're adding boxaddobs
, not inserted first insert clientst (...)
statement.
Comments
Post a Comment