Click here to Skip to main content
15,885,278 members
Search within:


Information does not appear in DB
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
database
 
When you click submit, the information is not saved in DB


Query result: INSERT INTO usersTbL VALUES ('Maxim',258963417,'max',25,050,'9517427');


What I have tried:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;

namespace ORI
{
    public partial class sign_up : System.Web.UI.Page
    {
        public string st = "";
        public string msg = "5";
        public string sqlSelect = "";
        public string sqlInsert = "";
        protected void Page_Load(object sender, EventArgs e)
        {
            string fileName = "users2.mdf";
            string tableName = "usersTbL";

            if (Request.Form["submit"] != null)
            {
                string username = Request.Form["uName"];
                sqlSelect = "select uName from " + tableName;
                sqlSelect += " where uName = '" + username + "';";
                DataTable testTable = Helper.ExecuteDataTable(fileName, sqlSelect);

                if(Helper.IsExist(fileName, sqlSelect))
                {
                    msg = "user already exists";
                }
                else
                {
                    string id = Request.Form["id"];
                    string firstName = Request.Form["fName"];
                    string Nage = Request.Form["age"];
                    string prefix = Request.Form["prefix"];
                    string phone = Request.Form["phone"];
                    int Iage = int.Parse(Nage);

                    sqlInsert = "INSERT INTO " + tableName;
                    sqlInsert += " VALUES ('" + username + "','" + id + "','" + firstName + "'," + Iage + ",'" + prefix + "','" + phone + "');";

                    Helper.DoQuery(fileName, sqlInsert);

                }
            }
        }
    }
}
Posted
Updated 24-Feb-22 10:55am
v2
Add a Solution
Comments
_Asif_ 25-Feb-22 5:09am    
you need to share your usersTbL table structure

1 solution

Quote:
When you click submit, the information is not saved in DB

It is impossible to know what is exactly your query because it depend on the values of the parameters.
Only the debugger can show what is the real query.
Improve the question with a print of actual sqlSelect.

Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Posted
Updated 24-Feb-22 10:34am
v2
Comments
ori samarel 24-Feb-22 17:12pm    
Query result: INSERT INTO usersTbL VALUES ('Maxim',258963417,'max',25,050,'9517427');
Andre Oosthuizen 25-Feb-22 6:06am    
I just saw I missed the line on Iage, deleted my solution, thank for picking it up.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 24 Feb 2022
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900