Insert data into local SQL Server database from ASP.NET

Question

I am trying to insert data from ASP.NET into a local SQL Server database. I am following from https://www.youtube.com/watch?v=8bNCfUaJPf8. maybe you can try to watch the video first. I am following exactly same for the process.

Here is the code :

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs"  Inherits="_Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<style type="text/css">
    .auto-style1 {
        text-align: center;
    }
    .auto-style2 {
        width: 100%;
    }
    .auto-style3 {
        width: 183px;
    }
    .auto-style4 {
        width: 183px;
        height: 21px;
    }
    .auto-style5 {
        height: 21px;
    }
</style>
</head>
<body>
<form id="form1" runat="server">
<div>

    <h2 class="auto-style1">insert data</h2>
    <br />

</div>
    <table class="auto-style2">
        <tr>
            <td class="auto-style4">FirstName :</td>
            <td class="auto-style5">
                <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
            </td>
        </tr>
        <tr>
            <td class="auto-style3">LastName :</td>
            <td>
                <asp:TextBox ID="TextBox2" runat="server"></asp:TextBox>
            </td>
        </tr>
        <tr>
            <td class="auto-style3">City :</td>
            <td>
                <asp:TextBox ID="TextBox3" runat="server"></asp:TextBox>
            </td>
        </tr>
        <tr>
            <td class="auto-style3">&nbsp;</td>
            <td>
                <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Submit" />
            </td>
        </tr>
    </table>
    <asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:ConnectionString %>" OnSelecting="SqlDataSource1_Selecting" SelectCommand="SELECT * FROM [Table]"></asp:SqlDataSource>
</form>
</body>
</html>

Here is the code-behind file:

 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Web;
 using System.Web.UI;
 using System.Web.UI.WebControls;
 using System.Data.SqlClient;
 using System.Configuration;

 public partial class _Default : System.Web.UI.Page
 {
     SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);

     protected void Page_Load(object sender, EventArgs e)
     {
         con.Open();
     }

     protected void Button1_Click(object sender, EventArgs e)
     {
          SqlCommand cmd = new SqlCommand("insert into Table (fname, lname, city) values ('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "')", con);
         cmd.ExecuteNonQuery();
         con.Close();

         TextBox1.Text = "";
         TextBox2.Text = "";
         TextBox3.Text = "";
     }
}

When I am trying to insert the data, this error appears:

Answer 1

It's possible your textbox input contains a value that is escaping your string. The method you're using is open to sql injection attacks.

For example: If textbox1.txt contains a ' character, it would break the query, because it would eacape the value.

You'd likely be able to see this if you look at the command text property of the SqlCommand object. I'd highly recommend you take a look at that property, and do some googling about sql injection. If your input on any of those boxes were " '; drop database; --", your whole database would be deleted.

This is likely an issue of your input not being sanitized or passed to sql correctly.

Answer 2

Table

is a SQL keyword, you should be able to use

[Table] 

to distinguish your Table name from the keyword.

So try using

SqlCommand cmd = new SqlCommand("insert into [Table] (fname, lname, city) values ('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "')", con);