CODEWITHSUNDEEP
c#sql
Celine
Celine

Reputation: 45

Invalid Input in C#

Can someone please tell me why I keep on getting "Invalid Input" on my code?? I've checked my database several times and I cant seem to find the problem. I'm using a normalized database right now.

I just noticed I pasted a wrong code

namespace MemorialSystem
{
    public partial class Reservation : Form
    {
        SqlConnection con;
        SqlCommand cmd;
        SqlDataAdapter adapter;
        SqlCommandBuilder cd;
        DataSet ds;

        public Reservation()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            Form1 o = new Form1();
            o.Show();
            this.Hide();
        }

        private void Reservation_Load(object sender, EventArgs e)
        {
            con = new SqlConnection("Data Source=(local);Initial Catalog=Memorial_park;Integrated Security=True");
            cmd = new SqlCommand("select * from Records", con);
            adapter = new SqlDataAdapter(cmd);
            cd = new SqlCommandBuilder(adapter);
            ds = new DataSet();
        }

        private void button2_Click(object sender, EventArgs e)
        {
            con.Open();
            try
            {

                if (textBox1.Text == "" || textBox2.Text == "" || textBox3.Text == "" || comboBox1.Text == "" || textBox8.Text == "" || dateTimePicker1.Value.ToString("yyyyMMdd HH:mm:ss") == "" || dateTimePicker2.Value.ToString("yyyyMMdd HH:mm:ss") == "" || textBox7.Text == "" || textBox5.Text == "" || dateTimePicker3.Value.ToString("yyyyMMdd HH:mm:ss") == "")
                {
                    MessageBox.Show("Please input a value!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
                }
                else
                {
                    if (MessageBox.Show("Are you sure you want to reserve this record?", "Reserve", MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.Yes)
                    {
                        cmd = new SqlCommand("insert into Records(NameofLotOwner, HomeAddress, TelNo, RelationDeceased, NameOfDeceased, Address, DateofBirth, DateofDeath, PlaceofDeath, CausefDeath, DateofInterment) values('" + textBox1.Text + "', '" + textBox2.Text + "', '" + textBox3.Text + "', '" + comboBox1.SelectedItem + "', '" + textBox8.Text + "', '" + dateTimePicker1.Value.ToString("yyyyMMdd HH:mm:ss") + "', '" + dateTimePicker2.Value.ToString("yyyyMMdd HH:mm:ss") + "', '" + textBox7.Text + "', '" + textBox5.Text + "', '" + dateTimePicker3.Value.ToString("yyyyMMdd HH:mm:ss") + "')", con);

                        cmd.ExecuteNonQuery();

                        MessageBox.Show("Your reservation has been made!", "Reserve", MessageBoxButtons.OK, MessageBoxIcon.Information);
                    }
                }
            }

            catch (Exception x)
            {
                MessageBox.Show("Invalid Input");
            }
            con.Close();
        }

        private void label16_Click(object sender, EventArgs e)
        {

        }
    }
}

Upvotes: 0

Views: 328

Answers (1)

Steve
Steve

Reputation: 216303

I suggest to use a parameterized query like this

   try
   {
        string cmdText = "select username, password from Login " + 
                         "where username=@uname and password=@pwd";
        using(SqlConnection con = new SqlConnection(.....))
        using(SqlCommand cmd = new SqlCommand(cmdText, con);
        {
            con.Open();
            cmd.Parameters.AddWithValue("@uname", textbox1.Text);
            cmd.Parameters.AddWithValue("@pwd", textbox2.Text);
            SqlDataReader reader = cmd.ExecuteReader();
            if (reader.Read())
            {
               ......
            }
        }
    {
    catch (Exception ex)
    {
         .....
    }

In this way, if you have a single quote in user name or password the syntax passed to the underlying engine will be correctly quoted by the framework code and you avoid Sql Injection (see link from dasblinkenlight in comments)

EDIT Now that you have updated your code, I think that my suggestion is more valid now than before.
Using a string concatenation to build a command is a very bad practice as you can see with all that quoting required by a moderate length statement like yours.
If you use the parameter collection of the SqlCommand you will avoid all this mess with quoting strings, decimals and datetime values.

As a side note, don't keep a global connection object open for the lifetime of your form. If you forget to close and dispose your program will start to leak resources and your application becomes unstable (See the using statement and Connection Pooling)

 cmd = new SqlCommand("insert into Records(NameofLotOwner, HomeAddress, TelNo, " + 
                      "RelationDeceased, NameOfDeceased, Address, DateofBirth, " + 
                      "DateofDeath, PlaceofDeath, CausefDeath, DateofInterment) " + 
                      "values(@p1, @p2, @p3,@p4, @p5 @p6, @p6, @p8, @p9,@p10, @p11)", con);
 cmd.Parameters.AddWithValue("@p1", textBox1.Text);
 .....
 cmd.Parameters.AddWithValue("@p6", dateTimePicker1.Value);
 .....

Upvotes: 4

Related Questions