C-Sharp (C#) Group: SQL Connection and INSERT at runtime

Thread: C-Sharp (C#) Group: SQL Connection and INSERT at runtime

Search this list only Search all lists
C-Sharp (C#) Group: SQL Connection and INSERT at runtime
	2006-10-02 09:36:26
Hi! Can anybody tell me what I'm missing here? I'm trying to insert a new record into a sql-database from code at runtime (not stored procedure), but get the following error message: "The 'strUn' is not permitted in this context. Only constants, expressions or variables allowed here. Column names are not permitted." //Create sql connection SqlConnection con = new SqlConnection ("server=LocalHost;database=Users;uid=geir;pwd=geir&quo t;); //Open database connection con.Open(); //Create variables to hold values from textboxes string strUn = txtUsername.Text; string strPw = txtPassword.Text; //Create a sqlCommand to insert textbox values into sql-database SqlCommand sqlcmd = new SqlCommand(); sqlcmd.CommandText = "INSERT INTO tblUsers(Username,Password) VALUES(strUn, strPw)"; sqlcmd.Connection = con; try { sqlcmd.ExecuteNonQuery(); } catch(SqlException ex) { lblInfo.Text = "ExecuteNonQuery failed because: n" + "n" + ex.Message; } finally { con.Close(); } --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "C-Sharp (C#)" group. To post to this group, send email to C_Sharpgooglegroups.com To unsubscribe from this group, send email to C_Sharp-unsubscribegooglegroups.com For more options, visit this group at http://groups. google.com/group/C_Sharp -~----------~----~----~----~------~----~------~--~---

C-Sharp (C#) Group: Re: SQL Connection and INSERT at runtime
	2006-10-02 13:23:53

The values strUn and strPw are not actually available to that sql command.  To do it the way you are currently doing it, you will need to concatenate the values inside the command string.  Like so:   sqlcmd.CommandText = "INSERT INTO tblUsers(Username,Password) VALUES('" + strUn + "','" + strPw "')"; It's important to know that this is a huge security risk. ; If you had a user with malicious intents, they could inject other dangerous commands in the username or password text boxes.  You should look into parameterized queries and/or stored procedures. On 10/2/06, Krij < gsb58start.no">gsb58start.no> wrote: Hi! Can anybody tell me what I'm missing here? I'm trying to insert a new record into a sql-database from code at runtime (not stored procedure), but get the following error message: ;"The 'strUn' is not permitted in this context.   Only constants, expressions or variables allowed here.     Column names are not permitted." //Create sql connection SqlConnection con = new SqlConnection ("server=LocalHost;database=Users;uid=geir;pwd=geir"); //Open database connection  con.Open(); //Create variables to hold values from textboxes       string strUn = txtUsername.Text;       ;string strPw = txtPassword.Text; //Create a sqlCommand to insert textbox values into sql-database  SqlCommand sqlcmd = new SqlCommand();   sqlcmd.CommandText = "INSERT INTO tblUsers(Username,Password) VALUES(strUn, strPw)";   sqlcmd.Connection = con;       try     {     sqlcmd.ExecuteNonQuery(); ;   }     catch(SqlException ex) ;     {     lblInfo.Text = "ExecuteNonQuery failed because: n" +     ;   "n" +     ;   ex.Message;     ; }     finally     ; {     con.Close();     } --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "C-Sharp (C#)" group. To post to this group, send email to C_Sharpgooglegroups.com To unsubscribe from this group, send email to C_Sharp-unsubscribegooglegroups.com For more options, visit this group at http://groups.google.com/group/C_Sharp -~----------~----~----~----~------~----~------~--~---
C-Sharp (C#) Group: Re: SQL Connection and INSERT at runtime
	2006-10-03 04:12:24
Hi! Thanks for answering. Of you're wright. This is just a training case in my school studies. I was just looking for the proper syntax which, for some reason, I didn't find. Of course I'll use a database or do it the proper way as you mentioned. Marty Thompson skrev: > The values strUn and strPw are not actually available to that sql command. > To do it the way you are currently doing it, you will need to concatenate > the values inside the command string. Like so: > > sqlcmd.CommandText = "INSERT INTO tblUsers(Username,Password) > VALUES('" + strUn + "','" + strPw "')"; > > It's important to know that this is a huge security risk. If you had a user > with malicious intents, they could inject other dangerous commands in the > username or password text boxes. You should look into parameterized queries > and/or stored procedures. > > On 10/2/06, Krij <gsb58start.no> wrote: > > > > > > Hi! > > > > Can anybody tell me what I'm missing here? > > > > I'm trying to insert a new record into a sql-database from code at > > runtime (not stored procedure), > > but get the following error message: > > > > "The 'strUn' is not permitted in this context. > > Only constants, expressions or variables allowed here. > > Column names are not permitted." > > > > //Create sql connection > > SqlConnection con = new SqlConnection > > ("server=LocalHost;database=Users;uid=geir;pwd=geir&quo t;); > > > > //Open database connection > > con.Open(); > > > > //Create variables to hold values from textboxes > > string strUn = txtUsername.Text; > > string strPw = txtPassword.Text; > > > > //Create a sqlCommand to insert textbox values into sql-database > > SqlCommand sqlcmd = new SqlCommand(); > > sqlcmd.CommandText = "INSERT INTO tblUsers(Username,Password) > > VALUES(strUn, strPw)"; > > sqlcmd.Connection = con; > > > > try > > { > > sqlcmd.ExecuteNonQuery(); > > } > > catch(SqlException ex) > > { > > lblInfo.Text = "ExecuteNonQuery failed because: n" + > > "n" + > > ex.Message; > > } > > finally > > { > > con.Close(); > > } > > > > > > > > > > > ------=_Part_7306_20662232.1159795433080 > Content-Type: text/html; charset=ISO-8859-1 > X-Google-AttachSize: 2863 > > <div>The values strUn and strPw are not actually available to that sql command.  To do it the way you are currently doing it, you will need to concatenate the values inside the command string.  Like so:</div> > <div> </div> > <div>sqlcmd.CommandText = "INSERT INTO tblUsers(Username,Password)<br>VALUES('" + strUn + "','" + strPw "')";<br><br>It's important to know that this is a huge security risk.  If you had a user with malicious intents, they could inject other dangerous commands in the username or password text boxes.  You should look into parameterized queries and/or stored procedures. > <br> </div> > <div><span class="gmail_quote">On 10/2/06, <b class="gmail_sendername">Krij</b> <<a href="mailto:gsb58start.no">gsb58start.no</a>> wrote:</span> > <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>Hi!<br><br>Can anybody tell me what I'm missing here?<br><br>I'm trying to insert a new record into a sql-database from code at > <br>runtime (not stored procedure),<br>but get the following error message:<br><br>  "Th e 'strUn' is not permitted in this context.<br>   Only constants, expressions or variables allowed here.<br>    Colum n names are not permitted." > <br><br>//Create sql connection<br>SqlConnection con = new SqlConnection<br>("server=LocalHost;database= Users;uid=geir;pwd=geir");<br><br>//Ope n database connection<br>  con.Open();<br> ;<br>//Create variables to hold values from textboxes > <br>        string strUn = txtUsername.Text;<br>   &am p;nbsp;    string strPw = txtPassword.Text;<br><br>//Create a sqlCommand to insert textbox values into sql-database<br>  SqlCommand sqlcmd = new SqlCommand();<br>   sqlcmd.CommandText > = "INSERT INTO tblUsers(Username,Password)<br>VALUES(strUn, strPw)";<br>   &am p;nbsp;sqlcmd.Connection = con;<br><br>   &n bsp;  try<br>  &am p;nbsp;    {<br>    &nbsp ;  sqlcmd.ExecuteNonQuery();<br>  & nbsp;    }<br>    &nbsp ;  catch(SqlException ex) > <br>        {<br>    &nbsp ;  lblInfo.Text = "ExecuteNonQuery failed because: n" +<br>    &nbsp ;      "n" +<br>    &nbsp ;     ex.Messag e;<br>    &nbs p;  }<br>    &nbsp ;  finally<br>    &am p;nbsp;  {<br>    &nbsp ;  con.Close();<br>   &nbs p;   }<br> > <br><br> > ------=_Part_7306_20662232.1159795433080-- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "C-Sharp (C#)" group. To post to this group, send email to C_Sharpgooglegroups.com To unsubscribe from this group, send email to C_Sharp-unsubscribegooglegroups.com For more options, visit this group at http://groups. google.com/group/C_Sharp -~----------~----~----~----~------~----~------~--~---

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )