stackoom
  简体   繁体   中英

How to insert decimal value from textbox into database with c#

 原文  2019-03-20 11:58:06       c#/ sql-server

Question

I'm using a SQL Server database and Windows Forms application. I have 2 textboxes and 1 combobox. Users inputs their name and working rate into the textboxes and they chose year from combobox. I try to insert those values into my database.

EX: 

2018    Mike    39,72     WORKERS

In database: 

year --> nvarchar(4)
name --> nvarchar(50)
rate --> decimal(18,2)
type --> nvarchar(50)

My code is like: 

SqlCommand cmd = new SqlCommand("INSERT INTO USERS(YEAR,NAME,RATE,TYPE) VALUES ('" + yearcombo.Text + "','" + name.Text + "','" + Convert.ToDecimal(rate.Text, CultureInfo.CurrentCulture) + ",'" + "WORKERS" + "')", connection);

I get this error:

There are fewer columns in the INSERT statement than values specified in the VALUES clause. The number of values in the VALUES clause must match the number of columns specified in the INSERT statement.

2 answers

solution1
 11  2019-03-20 12:05:09

This kind of insert is vulnerable to injection and as you have already discovered it is hard to add values like decimal, DateTime, ... to add columns, use Parameters.Add 

SqlCommand cmd = new SqlCommand("INSERT INTO USERS(YEAR,NAME,RATE,TYPE) VALUES (@year, @name,@rate,@type)", connection);

cmd.Parameters.Add("@year", SqlDbType.Int).Value = int.Parse(yearcombo.Text);
cmd.Parameters.Add("@name", SqlDbType.VarChar).Value = name.Text;
cmd.Parameters.Add("@rate", SqlDbType.Decimal).Value = Convert.ToDecimal(rate.Text, CultureInfo.CurrentCulture);
cmd.Parameters.Add("@type", SqlDbType.VarChar).Value = "WORKERS";

Imagine that somebody changes the yearcombo value (as simply as using inspect element in chrome for example) and set it to:

"2019,'a',1,'Something');insert into ARESTRICTEDTABLE(somefield) values('somecolumn'); update AnotherTable set SomeField = 'somevalue');, insert into users(year,name,rate,type),(2019,"

then your command text would be: 

"insert into users (year,name,rate,type) (2019,'a',1,'Something');insert into ARESTRICTEDTABLE(somefield) values('somecolumn'); update AnotherTable set SomeField = 'somevalue');, insert into users(year,name,rate,type),(2019," ,'" + name.Text + "','" + Convert.ToDecimal(rate.Text, CultureInfo.CurrentCulture) + ",'" + "WORKERS" + "')"

solution2
 7  2019-03-20 12:04:49

You should use SqlParameter with a query containing parameters : It should be like this : 

SqlCommand cmd = new SqlCommand("INSERT INTO USERS(YEAR,NAME,RATE,TYPE) VALUES (@YEAR, @NAME, @RATE, @TYPE)", connection);
cmd.Parameters.Add(new SqlParameter("@YEAR", yearcombo.Text));
cmd.Parameters.Add(new SqlParameter("@NAME", name.Text));
cmd.Parameters.Add(new SqlParameter("@RATE", Convert.ToDecimal(rate.Text, CultureInfo.CurrentCulture)));
cmd.Parameters.Add(new SqlParameter("@TYPE", "WORKERS"));

I didn't test it but it convert your parameter to a correct decimal for your query. Also it is better to use SqlParameter for security issues (preventing SQL Injection )

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question From textbox to decimal value then into access database in c# c# How to insert textbox value and save it to sql database? How to clear textbox value after insert to the database in c#? insert data from database to textbox C# TextBox Error Decimal Value insert button to database how to check if value exists in database from textbox c# C# Database Insert not working from textbox to listbox how to insert data from textbox to access database using where in c# Insert into textbox c# mdb database how do I insert into a textBox a value from MS-Access in visual studio c# using OleDb?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM