1

What I'm trying to do is to insert a username, and their monthly hour limit to my SQL Server database. I've used the automatically generated statements for updating and deleting. I just need to add in new users now. The code below, should work as far as I know, but it doesn't. I think it's the way I've written it.

The part in comments is what the Userdata.aspx file automatically generated, so I'm trying to convert it to use my 2 text boxes.

Thanks a lot.

protected void Button1_Click1(object sender, EventArgs e)
{
 string sql = "INSERT INTO [UserData]([UserName], [MonthlyHourLimit]) VALUES ("+ TextBox1.Text + "," + TextBox2.Text + ")";
 //INSERT INTO [UserData] ([UserName], [MonthlyHourLimit]) VALUES (@UserName, @MonthlyHourLimit)" 
 SqlDataSource1.InsertCommand = sql;
 GridView1.DataBind();
}
marc_s
759k185 gold badges1.4k silver badges1.5k bronze badges
asked Mar 15, 2013 at 15:12
5
  • What doesn't work about this? Are you getting an error? Commented Mar 15, 2013 at 15:14
  • 2
    THe first thing you should take care about is SQL injection. You'd better created a SqlCommand class isntance with parameters for every value, read from user. Though it's not probably your current problem Commented Mar 15, 2013 at 15:15
  • I'm not getting an error, just nothing happens when my button is clicked. Commented Mar 15, 2013 at 16:11
  • The generated code is much better than yours - it uses parameters to avoid concatenating together SQL statements and thus opening the door to SQL injection attacks - just don't do it! - never. Commented Mar 15, 2013 at 16:16
  • But the generated code doesn't help me because I can't get the data from the boxes and insert on button1_click's event Commented Mar 15, 2013 at 16:39

2 Answers 2

5

You need to configure your data source to use parameters.

 <asp:sqlDataSource ID="EmployeeDetailsSqlDataSource" 
 SelectCommand="select [UserName], [MonthlyHourLimit] from [UserData] where UserName= @UserName"
 InsertCommand="IINSERT INTO [UserData] ([UserName], [MonthlyHourLimit]) VALUES (@UserName, @MonthlyHourLimit);"
 ConnectionString="<%$ ConnectionStrings:MyConnection %>"
 RunAt="server">
 <SelectParameters>
 <asp:Parameter Name="UserName" Type="Int32" DefaultValue="0" />
 </SelectParameters>
 <InsertParameters>
 <asp:Parameter Name="UserName" Direction="Input" Type="String" />
 <asp:Parameter Name="MonthlyHourLimit" Direction="Input" Type="String" />
 </InsertParameters>
 </asp:sqlDataSource>

UPDATE:I've forgot to mention, you would like to use ControlParameter and not simple Parameter. Take a look at following snippet:

 <asp:СontrolParameter Name="UserName" ControlId="ddlUserNames" PropertyName="SelectedValue"/>
 ...
 <asp:DropdownList
 ID="ddlUserNames"
 runat="server"
 Autopostback="True">
 <asp:Listitem Selected="True">Users</asp:Listitem>
 <asp:Listitem Value="Peter">Peter</asp:Listitem>
 <asp:Listitem Value="Jessica">Jessica</asp:Listitem>
 </asp:Dropdownlist>

Take a look at corresponding MSDN page describing usage of SqlDataSource in details.

UPDATED 2: complete example in order to avoid confusion

 <asp:sqlDataSource ID="EmployeeDetailsSqlDataSource" 
 SelectCommand="select [UserName], [MonthlyHourLimit] from [UserData] where UserName= @UserName"
 InsertCommand="IINSERT INTO [UserData] ([UserName], [MonthlyHourLimit]) VALUES (@UserName, @MonthlyHourLimit);"
 ConnectionString="<%$ ConnectionStrings:MyConnection %>"
 RunAt="server">
 <SelectParameters>
 <asp:Parameter Name="UserName" Type="Int32" DefaultValue="0" />
 </SelectParameters>
 <InsertParameters>
 <asp:ControlParameter Name="UserName" ControlId="txtUserName" Direction="Input" Type="String" />
 <asp:ControlParameter Name="MonthlyHourLimit" ControlId="txtMonthlyHourLimit" Direction="Input" Type="String" />
 </InsertParameters>
 </asp:sqlDataSource>
 <asp:TextBox runat="server" ID="txtUserName" /> 
 <asp:TextBox runat="server" ID="txtMonthlyHourLimit" />
answered Mar 15, 2013 at 15:21
9
  • 2
    #Vittore, this approach is MUCH better and safer than trying to build a clean/safe dynamic SQL statement. Commented Mar 15, 2013 at 15:24
  • @tgolisch belive me, I know! Commented Mar 15, 2013 at 15:24
  • So if you make it use parameters in the aspx. How do you then defined them and use them in the .cs file? Commented Mar 15, 2013 at 15:35
  • You can define ControlParameter so you don't need code or you can define general parameter so you can set it from code behind, there is details explanation in second link I gave in my answer. Most likely though that you don't need to change it in code-behind for such case and instead going to use combination of ControlParameter, SessionParameter etc. Commented Mar 15, 2013 at 15:38
  • Sorry, I still don't understand how I can get whatever is on those boxes into the database by clicking my button Commented Mar 15, 2013 at 16:12
0 
Datasource.InsertCommand is a property.
Datasource.Insert() is a method.

You should also use parameters.

datasource.insertparameters("username").defaultvalue = TextBox1.Text + "," + TextBox2.Text
answered Mar 15, 2013 at 15:17
1
  • But insertparameters isn't a method either? Commented Mar 15, 2013 at 16:54

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.