INSERT Data to SQL Database

Lofa · September 17th, 2005, 09:14 AM

How do I insert data from a input textbox or textarea into MS SQL database table

g2000 · September 17th, 2005, 09:26 PM

string insertSQL, yourConnectionString;
int numberRecAdded;

insertSQL = " insert into ..... "; // your insert sql string
yourConnectionString = ".... "; // your connection string

SqlConnection dbConn = new SqlConnection(yourConnectionString);
SqlCommand cmd = new SqlCommand(insertSQL, dbConn);

try{
dbConn.Open();
int numberRecAdded = cmd.ExecuteNonQuery();
}

catch(Exception err){

}

Lofa · September 18th, 2005, 10:46 AM

I don't see where the code takes value from a text box ex. <input type="text" ID="Fname" name="Fname" value="" runat="server">
I have on my page several input fileds ex. register pages. I have on page fields user id, PWD and e-mail. All the filed values should insert into sql database.

g2000 · September 18th, 2005, 12:55 PM

I will put onclick attribute inside the definition of input box. In your case,
<input type="text" ID="Fname" name="Fname" value="" runat="server" onclick="Fname_Click">

Then, put whatever insert logic inside the the function Fname_Click such as

protected void Fname_Click(object sender, EventArgs e){
... your insert SQL code ...
}

Aaron Edwards · September 20th, 2005, 03:50 PM

Assuming your form has a submit button on it, and assuming it's an ASP.NET server control, not a basic html submit button, and assuming your using Visual Studio.NET, just double click on the button in the Form Designer, which will take you into code view, and create a btnSubmit_Click subroutine for you where btnSubmit is the ID of your button.

Then, inside the procedure write some code like this.

Code:

dim cnxn as new SQLConnection
dim cmd as new SQLCommand
cnxn.ConnectionString = "<your connection string goes here>"
cnxn.open
cmd.Connection = cnxn

Now we get to where there are two different methodologies for doing the same thing. The simpler, faster way is to say something like...

Code:

cmd.CommandText = "INSERT INTO <tableName> (<field1>,<field2>,<etc>) VALUES ('" & Me.Fname.Text & "', '" & Me.Lname.Text & "', '" & Me.<whateverControlName>.Text & "')"
cmd.ExecuteNonQuery
cmd.dispose
cnxn.dispose

In the above example, I treated all three fields as text type fields, and so the single quote was needed. It's not needed for numbers, except dates. Also, the Me. part is optional, I just use it because intellisense brings up a list of my controls and I can do less typing.

The problem with the above method is that any single quotes/apostrophes in the user's input will cause an error, since single quotes are used by SQL as a delimeter, so if I enter my address as "Aaron's house", for example, your app will crash. In reality, this is easy to check for, just do a replace for each textbox, and replace one single quote with two, e.g.

Code:

fname.text = fname.text.Replace("'", "''")

A bigger problem with the above method is that it leaves you exposed to a type of hack called a SQL Injection Attack, whereby a hacker types in "OR 1=1" into one of your textboxes and gets access to restricted information.

A safer, preferred method is to use SQL parameters, which eliminates both problems. So the first part would look the same, but then you'd add:

With cmd.Parameters
   .Add (New SqlParameter ("@FirstName", Fname.Text))
   .Add (New SqlParameter ("@LastName", Lname.Text))
   .Add (New SqlParameter ("@MiddleInitial", MI.Text)) 'for example
End With

Then your INSERT statement changes to:

[code]cmd.CommandText = "INSERT INTO <tableName> (<field1>,<field2>,<etc>) VALUES (@FirstName, @LastName, @MiddleInitial)"[code]

As you can see, the code is also a whole lot cleaner.

Hope that helps!

Aaron