c# SQL data type and query

Question

The method of my code is as below:

protected void AddBtn_Click1(object sender, EventArgs e)
{

    string text1 = TextBox1.Text;
    string text2 = TextBox2.Text;
    string text3 = TextBox3.Text;
    string text4 = TextBox4.Text;
    string text5 = TextBox5.Text;
    string text6 = TextBox6.Text;
    string text7 = TextBox7.Text;
    string text8 = TextBox8.Text;
    string text9 = TextBox9.Text;


    if (pnAvailiable == 1)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["XMLConnectionString"].ConnectionString);
        con.Open();
        string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (" + text1 + "," + text2 + "," + text3 + "," + text4 + "," + text5 + "," + text6 + "," + text7 + "," + text8 + "," + text9 + ")";
        SqlCommand cmd = new SqlCommand(str, con);
        cmd.ExecuteNonQuery();
        con.Close();
        Response.Redirect(Request.RawUrl);
    }
}

My database's data type is define as text

The problem is:

1. when the Textbox1 input is an integer, it supposed to convert to string and text1 is a string. But when inserting to the sql, it report error as "int is incompatible with text" and report at "cmd.ExecuteNonQuery();"
2. I change to varchar(50) for my data type in database. The new problem is when I input "6-1", it operates first and put "5" into the database. When I input "a-3", it will report error.

Actually, I just want to type in string and put string into the database.

Please help me figure out the problem. Please indicate which problem you are

Answer 1

protected void AddBtn_Click1(object sender, EventArgs e)
{

    string text1 = TextBox1.Text;
    string text2 = TextBox2.Text;
    string text3 = TextBox3.Text;
    string text4 = TextBox4.Text;
    string text5 = TextBox5.Text;
    string text6 = TextBox6.Text;
    string text7 = TextBox7.Text;
    string text8 = TextBox8.Text;
    string text9 = TextBox9.Text;


    if (pnAvailiable == 1)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["XMLConnectionString"].ConnectionString);
        con.Open();
        string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (@text1,@text2,@text3,@text4,@text5,@text6,@text7,@text8,@text9)";
        SqlCommand cmd = new SqlCommand(str, con);
        cmd.Parameters.AddWithValue("@text1", text1);
        cmd.Parameters.AddWithValue("@text2", text2);
        cmd.Parameters.AddWithValue("@text3", text3);
        cmd.Parameters.AddWithValue("@text4", text4);
        cmd.Parameters.AddWithValue("@text5", text5);
        cmd.Parameters.AddWithValue("@text6", text6);
        cmd.Parameters.AddWithValue("@text7", text7);
        cmd.Parameters.AddWithValue("@text8", text8);
        cmd.Parameters.AddWithValue("@text9", text9);
        cmd.ExecuteNonQuery();
        con.Close();
        Response.Redirect(Request.RawUrl);
    }
}

Answer 2

I suggest you to use Sql Parameter instead of just join a string. Like

   SqlCommand timeSlotCmd = new SqlCommand("delete from xxxxxx   where LeagueId=@LeagueId", conn, tran);
   command.Parameters.Add("@LeagueId", leagueIdValue);
   timeSlotCmd.ExecuteNonQuery();

Answer 3

Since you are not surrounding the values in single quotes, it is subtracting 1 from 6 when it encounters 6-1 . This unexpected behavior is a symptom of a serious security vulnerability that you have in your code. You should spend some time getting familiar with SQL Injection vulnerabilities (currently #1 on the OWASP top 10 list).

Luckily for you, the correct solution will take care of both the error you have encountered as well as the SQL Injection vulnerability.

To fix both problems look into using parameterized queries . Using a parameterized query you can specify the data type of each parameter (while also preventing malicious code injection). For example:

INSERT INTO XML (Part_Number, ......) VALUES (" + text1 + " ...

Would become

INSERT INTO XML (Part_Number, ......) VALUES (@PartNumber ...

This is also much easier to read IMHO. You will need to add the parameter(s) to the SqlCommand object:

SqlParameter PartNumber = new SqlParameter("@PartNumber", SqlDbType.VarChar);
PartNumber.Value = "whatever...";
cmd.Parameters.Add(PartNumber);

Hope this helps!

Answer 4

May be you have to add parameters.

 string str = "INSERT INTO XML (Part_Number, ...) VALUES (:text1, ...)";
 SqlCommand cmd = new SqlCommand(str, con);
 cmd.AddParam(":text1", DbType.Int, 1, ParameterDirection.Input);
 .....
 cmd.ExecuteNonQuery();
 con.Close();
 Response.Redirect(Request.RawUrl);

Answer 5

change

string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES (" + text1 + "," + text2 + "," + text3 + "," + text4 + "," + text5 + "," + text6 + "," + text7 + "," + text8 + "," + text9 + ")"; 

into following

"INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES ('" + text1 + "','" + text2 + "','" + text3 + "','" + text4 + "','" + text5 + "','" + text6 + "','" + text7 + "','" + text8 + "','" + text9 + "')"; 

Answer 6

您的查询不正确，应将varchar插入单个代码（“行的值”）中

string str = "INSERT INTO XML (Part_Number, PowerMin_dBm_RoomTemp, PowerMax_dBm_RoomTemp, ERMin_dB_RoomTemp, ERMax_dB_RoomTemp, OMAMin_uW_RoomTemp, OMAMax_uW_RoomTemp, ModPowerConsumptionMin_W_RoomTemp, ModPowerConsumptionMax_W_RoomTemp) VALUES ('" + text1 + "','" + text2 + "','" + text3 + "','" + text4 + "','" + text5 + "','" + text6 + "','" + text7 + "','" + text8 + "','" + text9 + "')";