c#sqldatabasefile-upload
How do I to insert data into an SQL table using C# as well as implement an upload function?
Below is the code I am working with to try to insert data into my 'ArticlesTBL' table. I also want to upload an image file to my computer.
I am getting an error reading: Incorrect syntax near 'UploadedUserFiles'.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.IO;
using System.Data;
using System.Data.SqlClient;
using System.Web.Configuration;
public partial class _CopyOfSubmitArticle : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void uploadbutton_Click(object sender, EventArgs e)
{
string UpPath = Server.MapPath("~/UploadedUserFiles");
int imgSize = FileUpload1.PostedFile.ContentLength;
string imgName = FileUpload1.FileName;
string imgPath = "UploadedUserFiles/" + imgName;
if (FileUpload1.PostedFile.ContentLength > 1000000)
{
Page.ClientScript.RegisterClientScriptBlock(typeof(Page), "Alert", "alert('File is too big')", true);
}
else
{
FileUpload1.SaveAs(Server.MapPath(imgPath));
myinfo.Text = "file" + imgPath + "uploaded.";
}
String connectionString = WebConfigurationManager.ConnectionStrings["ConnectAntiFrack"].ConnectionString;
SqlConnection myConnection = new SqlConnection(connectionString);
myConnection.Open();
string ArticleImg = "UploadedUserFiles/" + FileUpload1.FileName;
string ArticleTitle = ArticleTitleTextBox.Text;
string ArticleContent = ArticleContentTextBox.Text;
string ArticleType = ArticleTypeDropdown.Text.ToString();
string ArticleAuthor = ArticleAuthorTextBox.Text.ToString();
string ArticleBrief = ArticleBriefTextBox.Text;
string ArticleDateTime = DateTime.Now.ToShortTimeString();
string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief, ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews) VALUES (" + ArticleTitle +", " + ArticleContent +", "+ ArticleType +" " + ArticleImg +", "+ ArticleBrief +"," + ArticleDateTime + ", "+ ArticleAuthor +",'False', 'False', '0')";
SqlCommand myCommand = new SqlCommand(query, myConnection);
myCommand.ExecuteNonQuery();
// myinfo.Text = "connection to db is made";
myConnection.Close();
}
Solution
You should use parameters in your query to prevent attacks, like if someone entered '); drop table ArticlesTBL;--' as one of the values.
string query = "INSERT INTO ArticlesTBL (ArticleTitle, ArticleContent, ArticleType, ArticleImg, ArticleBrief, ArticleDateTime, ArticleAuthor, ArticlePublished, ArticleHomeDisplay, ArticleViews)";
query += " VALUES (@ArticleTitle, @ArticleContent, @ArticleType, @ArticleImg, @ArticleBrief, @ArticleDateTime, @ArticleAuthor, @ArticlePublished, @ArticleHomeDisplay, @ArticleViews)";
SqlCommand myCommand = new SqlCommand(query, myConnection);
myCommand.Parameters.AddWithValue("@ArticleTitle", ArticleTitleTextBox.Text);
myCommand.Parameters.AddWithValue("@ArticleContent", ArticleContentTextBox.Text);
// ... other parameters
myCommand.ExecuteNonQuery();
- Why does an empty preprocessor command still evaluate to something?
- How to implement variable sized array within C struct
- Character array typecasting to integer
- How can I exclude non-numeric keys? CS50 Caesar Pset2
- How to get the sign, mantissa and exponent of a floating point number
- Why do MCU libraries use logic operations instead of bitfield structs?
- What kind of implementation can I use for a static associative array on a vintage system with very limited resources?
- Determine libraries to link against for a windows library function?
- Passing macro values to arm linker that places variable at a specific location
- running a program with wildcards as arguments
- How to perform addition of two vectors of 8-bit integers with a single addition in C/C++
- GNU RISC-V Embedded GCC throws "x ISA extension `xw' must be set with the versions" error
- Counting pulses using a swiss flow meter with an Arduino, how is it done?
- How to create a folder in C (need to run on both Linux and Windows)
- Is there any way to compute the width of an integer type at compile-time?
- How can I initialize all members of an array to the same value?
- Is C notably faster than C++
- How to get the Windows SDK version number a program is compiling with at compile time
- Confused by difference between expression inside if and expression outside if
- Equivalent of atoi for unsigned integers
- k&r: Exercise 1-18. Program takes input but doesnt produce any output?
- Using in C thrd_sleep() to either wait for time or interrupt by signal. Example?
- How can I compute `exp(x)/2` when `x` is large?
- c programming: answer always equates to 0
- Is it possible to access a parameter of a function from another function in C?
- Will this expression evaluate to true or false (1 or 0) in C?
- What Is the Return Value of strcspn() When Str1 Does not Contain Str2?
- Mapping a numeric range onto another
- Signalled and non-signalled state of event
- Why is faster to do a branch than a lookup?