none
MySQL in C# problem RRS feed

  • Question

  • i whant the user to created a acc on my database using a textbox but i have no idea how to make it work, this is what i got, what im doing wrong? whats way you can make the textbox get info and store it on the database?

    this is what i got:

    cmd.CommandText = "INSERT INTO Account (LoginName) VALUES ("+textBox1.Text+")";

    it compiles but when i use it i get this error:

    MySQL exeption was unhandled:
    Column count doesn't  match  value  count at row 1

    thx for help in advance.
    Sunday, June 10, 2007 7:07 PM

Answers

  • The problem is in the SQL syntax you are using.  Also I believe that textBox1.Text may be empty.

    To insert a string you need to use the single-quote character before and after your string. 

     

    However, I should also point out that the method of executing queries that you are using is vulnerable to SQL-injection.  A brief example is if the user were to enter this text into your textbox, you would have a rough day:  "newuser'); DROP TABLE Account  --"

     

    You need to use Parameterized Queries.

     

    Change your code to this:

     

     

    Code Snippet

    cmd.CommandText = "INSERT INTO Account (LoginName) VALUES (@loginName)";

    cmd.Parameters.AddWithValue("@loginName", Server.HtmlEncode(textBox1.Text.Trim());

     

     

    Monday, June 11, 2007 12:09 AM

All replies

  • The problem is in the SQL syntax you are using.  Also I believe that textBox1.Text may be empty.

    To insert a string you need to use the single-quote character before and after your string. 

     

    However, I should also point out that the method of executing queries that you are using is vulnerable to SQL-injection.  A brief example is if the user were to enter this text into your textbox, you would have a rough day:  "newuser'); DROP TABLE Account  --"

     

    You need to use Parameterized Queries.

     

    Change your code to this:

     

     

    Code Snippet

    cmd.CommandText = "INSERT INTO Account (LoginName) VALUES (@loginName)";

    cmd.Parameters.AddWithValue("@loginName", Server.HtmlEncode(textBox1.Text.Trim());

     

     

    Monday, June 11, 2007 12:09 AM
  • thx alot that fix the prob.
    Monday, June 11, 2007 12:54 AM