stackoom
  简体   繁体   中英

How to insert date from asp page textbox to sql server

 原文  2012-10-02 14:23:35       c#/ asp.net/ sql/ sql-server

Question

I have a button within my web page to inserts a few values into sql server columns. One of these values happens to be of data type Date. The following is my code for my asp.net page: 

 protected void Button1_Click(object sender, EventArgs e)
{
     con.Open();
     SqlCommand cmd1 = new SqlCommand("insert into dbo.FillTable values ('TextBox2.Text', 'TextBox1.Text', 'FA0005')",con);
     SqlDataAdapter dr = new SqlDataAdapter(cmd1);
     con.Close();
     DataSet dl = new DataSet();
     dr.Fill(dl);
     //Label5.Text = dl.Tables[0].Rows[1][9].ToString();

}

I want to be able to have the user enter the date in the format (yyyy-MM-dd), which is the date format for my sql server. "TextBox2" is the textbox that holds the date input. Whenever I simply hard code the date as for ex. '2010-01-01', '50', 'FA0005', it works well and inserts the record. However, when I code is as 'TextBox2.Text', 'TextBox1',etc. It gives me an error saying "Conversion failed when converting date and/or time from character string". Can someone help me with this? Its confusing me because having the date in 'yyyy-mm-dd' format works well, which is same as the textbox.

3 answers

solution1
 7 ACCPTED  2012-10-02 14:28:20

protected void Button1_Click(object sender, EventArgs e) 
{ 
     con.Open(); 
     SqlCommand cmd1 = new SqlCommand(string.Format("insert into dbo.FillTable values ('{0}', '{1}', 'FA0005')", TextBox2.Text, TextBox1.Text), con); 
     SqlDataAdapter dr = new SqlDataAdapter(cmd1); 
     con.Close(); 
     DataSet dl = new DataSet(); 
     dr.Fill(dl); 
}

Now, let's break down the string.Format function. It says that if I have a string to format like this "Hello {0}!" , anything I pass in at the zero index of the function will replace every occurrance of {0} . So, let's say I have this string "Hello {0}, and I say again hello {0}!" and I used it like this string.Format("Hello {0}, and I say again hello {0}!", "world") , I would get a string like this "Hello **world**, and I say again hello **world**!" .

Note

However, the above solution leaves you open to SQL Injection, so if you want to protect against that then let's go this route. 

protected void Button1_Click(object sender, EventArgs e) 
{ 
     con.Open(); 
     SqlCommand cmd1 = new SqlCommand("insert into dbo.FillTable values (@TextBox2Val, @TextBox1Val, 'FA0005')", con); 
     cmd1.AddParameterWithValue( "TextBox1Val", TextBox1.Text );
     cmd1.AddParameterWithValue( "TextBox2Val", TextBox2.Text );
     SqlDataAdapter dr = new SqlDataAdapter(cmd1); 
     con.Close(); 
     DataSet dl = new DataSet(); 
     dr.Fill(dl); 
}

Now let's break this down. The statement sent to the SQL server is just what you see, with the @paramname in the string. But, it will send it as a prepare and prepare that statement with the values you provided in the AddParameterWithValue method. Note that here, as long as the value in the TextBox2.Text is a date you don't have to concern yourself with the format because SQL server will take care of that. Bear in mind that SQL server stores it in one format and you'll display it in another but it can convert from a myriad of formats as long as they are valid.

Now, as stated by @Willem, it would behoove you to ensure that the value in TextBox2.Text is in fact a date, so let's do that, add this snippet at the top of the function ... 

DateTime theDate;
if (!DateTime.TryParse(TextBox2.Text, out theDate))
{
    // throw some kind of error here or handle it with a default value
    ... 
}

... and then modify the line with the AddParameterWithValue like this ... 

cmd1.AddParameterWithValue( "TextBox2Val", theDate );

solution2
 3  2012-10-02 14:31:47

You don't quite have the mechanism of getting the text box values into the insert correct. Additionally this style of database insertion leaves you vulnerable to SQL Injection attacks. One better option would be to parameterize your SqlCommand, as follows: 

 SqlCommand cmd1 = new SqlCommand("insert into dbo.FillTable values (@Date1, @Date2, @SomeString)",con);

Then, you can specify parameters as follows: 

 cmd1.Parameters.AddWithValue("@Date1",TextBox1.Text);
 cmd1.Parameters.AddWithValue("@Date2",TextBox2.Text);
 cmd1.Parameters.AddWithValue("@SomeString,"FA0005");

Specifying parameters eliminates the SQL Injection risk, and also provides a clean mechanism for getting the values from your text boxes to your INSERT. Hope this helps.

solution3
 2  2012-10-02 14:27:22

You're inputting the text "TextBox2.Text" into the database, not the value of the textbox. Remove the quotes from TextBox2.Text: 

SqlCommand cmd1 = new SqlCommand("insert into dbo.FillTable values 
    ('" + TextBox2.Text + "', '" + TextBox1.Text + "', 'FA0005')",con);

As noted above, you're leaving yourself open to SQL Injection when you're appending strings like this.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I select date from SQL Server to TextBox in asp.net c# How to save date to SQL SERVER from textbox using ASP.NET How to insert datetime property from asp.net c# to a date column in sql server? How to INSERT “multilined textbox” to 1 column in SQL Server? how to insert a date from textbox to database c# how to get just date from sql server date column and display in textbox Insert and select date from SQL Server database How to set value from server side code to an asp.net TextBox with TextMode=“Date”? How can I insert a null value into Sql Server date column using asp.net and command parameters Insert date into a SQL Server database in asp.net
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM