Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I to insert data into an SQL table using C# as well as implement an upload function?

Below is the code I am working with to try to insert data into my 'ArticlesTBL' table. I also want to upload an image file to my computer.

I am getting an error reading: Incorrect syntax near 'UploadedUserFiles'.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
using System.Data;
using System.Data.SqlClient;
using System.Web.Configuration;

public partial class _CopyOfSubmitArticle : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{

}

protected void uploadbutton_Click(object sender, EventArgs e)
{
    string UpPath = Server.MapPath("~/UploadedUserFiles");

        int imgSize = FileUpload1.PostedFile.ContentLength;
        string imgName = FileUpload1.FileName;
        string imgPath = "UploadedUserFiles/" + imgName;

        if (FileUpload1.PostedFile.ContentLength > 1000000)
        {
            Page.ClientScript.RegisterClientScriptBlock(typeof(Page), "Alert", "alert('File is too big')", true);
        }

        else
        {
            FileUpload1.SaveAs(Server.MapPath(imgPath));
            myinfo.Text = "file" + imgPath + "uploaded.";
        }



    String connectionString = WebConfigurationManager.ConnectionStrings["ConnectAntiFrack"].ConnectionString;

    SqlConnection myConnection = new SqlConnection(connectionString);

    myConnection.Open();

    string ArticleImg = "UploadedUserFiles/" + FileUpload1.FileName;
    string ArticleTitle = ArticleTitleTextBox.Text;
    string ArticleContent = ArticleContentTextBox.Text;
    string ArticleType = ArticleTypeDropdown.Text.ToString();
    string ArticleAuthor = ArticleAuthorTextBox.Text.ToString();
    string ArticleBrief = ArticleBriefTextBox.Text;
    string ArticleDateTime = DateTime.Now.ToShortTimeString();

    string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief,  ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews) VALUES (" + ArticleTitle +", " + ArticleContent +", "+ ArticleType +" " + ArticleImg +", "+ ArticleBrief +"," + ArticleDateTime + ", "+ ArticleAuthor +",'False', 'False', '0')";

    SqlCommand myCommand = new SqlCommand(query, myConnection);

    myCommand.ExecuteNonQuery();

    //       myinfo.Text = "connection to db is made";
    myConnection.Close();

}
like image 404
Claire Avatar asked Apr 25 '14 19:04

Claire


People also ask

How do I add data to an existing table in SQL?

If you want to add data to your SQL table, then you can use the INSERT statement. Here is the basic syntax for adding rows to your SQL table: INSERT INTO table_name (column1, column2, column3,etc) VALUES (value1, value2, value3, etc); The second line of code is where you will add the values for the rows.

Which SQL command is used to add data to a table?

Simple INSERT statement to add data to the table. Use INSERT Statement to add multiple rows in the table. INSERT INTO SELECT clause to insert the output generated by the SELECT query. INSERT IGNORE clause to ignore the error generated during the execution of the query.

How do I add data to an existing table?

INSERT INTO Syntax 1. Specify both the column names and the values to be inserted: INSERT INTO table_name (column1, column2, column3, ...)

How do you populate a table in SQL?

Populate one table using another table. You can populate the data into a table through the select statement over another table; provided the other table has a set of fields, which are required to populate the first table.


1 Answers

You should use parameters in your query to prevent attacks, like if someone entered '); drop table ArticlesTBL;--' as one of the values.

string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief,  ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews)";
query += " VALUES (@ArticleTitle, @ArticleContent, @ArticleType, @ArticleImg, @ArticleBrief, @ArticleDateTime, @ArticleAuthor, @ArticlePublished, @ArticleHomeDisplay, @ArticleViews)";

SqlCommand myCommand = new SqlCommand(query, myConnection);
myCommand.Parameters.AddWithValue("@ArticleTitle", ArticleTitleTextBox.Text);
myCommand.Parameters.AddWithValue("@ArticleContent", ArticleContentTextBox.Text);
// ... other parameters
myCommand.ExecuteNonQuery();

Exploits of a Mom

(xkcd)

like image 131
Jason Goemaat Avatar answered Sep 28 '22 02:09

Jason Goemaat