First problem: Your select command (
scmd3
) is using string concatenation to insert the user ID, leaving it vulnerable to
SQL Injection[
^].
Second problem: You have two separate commands which know nothing about each other. The data returned from
scmd3
isn't going to magically transfer itself to the
INSERT
statement in
cmd
.
Third problem: You never execute either command.
The solution is simple: combine the two commands into a single
INSERT
statement:
const string commandText = @"INSERT INTO Table1
(
User_ID,
FT_UNDERGR,
DATE,
FT_GRAD,
FTE_UNDERG,
FTE_GRAD,
NON_CREDIT,
TOTAL_FTE,
FCFTUHC,
FCFTPBHC,
FCPTUHC,
FCPTPBHC,
NCHC,
UnderG12,
Postb9,
Total123b4b,
FTEYR,
THCAS,
FTE40,
HC50,
FTE4050
)
SELECT
User_ID,
FT_UNDERGR,
DATE,
FT_GRAD,
FTE_UNDERG,
FTE_GRAD,
NON_CREDIT,
TOTAL_FTE,
FCFTUHC,
FCFTPBHC,
FCPTUHC,
FCPTPBHC,
NCHC,
UnderG12,
Postb9,
Total123b4b,
FTEYR,
THCAS,
FTE40,
HC50,
FTE4050
FROM
Table2
WHERE
User_ID = @UserID
;";
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
using (SqlCommand cmd = new SqlCommand(commandText, con))
{
cmd.Parameters.AddWithValue("@UserID", TextBoxUser_ID.Text);
con.Open();
cmd.ExecuteNonQuery();
}