c# - Need help formatting this to get insert query to work -


i struggling hard try figure out how this. trying have inputs textboxes allow admin update data in archive_decade_tbl , insert row in archive_image_tbl if chose add photos. have update query working cannot life of me insert working. conscious new code disgusting of , not worried security @ moment know vulnerable sql injection please me

here code update function:

        protected void update_clicked(object sender, eventargs e){          string connectionstring = "provider=microsoft.ace.oledb.12.0;data source=" + server.mappath("~\\database\\archive_master_database.accdb") + "; persist security info=false;";         dataset infods = new dataset();         oledbdataadapter oledbadapter;         classme.attributes.add("class", "productinfocontainernofloat");         string cmd1 = @"select * archive_decade_tbl archive_id_number=@buttonclicked";         string cmd2 = @"select * archive_image_tbl archive_id_number=@buttonclicked";         oledbconnection dbconn = new oledbconnection(connectionstring);        try     {         dbconn.open();         oledbadapter = new oledbdataadapter(cmd1, dbconn);         oledbadapter.selectcommand.parameters.add("@buttonclicked", oledbtype.integer).value = archiveidnumber.innertext.substring(33);         oledbadapter.fill(infods, "first table");         oledbadapter.selectcommand.commandtext = cmd2;         oledbadapter.fill(infods, "second table");         oledbadapter.dispose();          string cmdstring = "update archive_decade_tbl set product_name='" + request.form["namebox"] + "', model_number='" + request.form["modelbox"] + "', year_introduced='" + request.form["startbox"] + "', year_discontinued='" + request.form["endbox"] + "', product_line='" + request.form["linebox"] + "', location='" + request.form["locationbox"] + "', quantity='" + int.parse(request.form["quantitybox"]) + "' " +             "where archive_id_number=" + int.parse(request.form["archivebox"]);          oledbadapter.updatecommand = new oledbcommand(cmdstring, dbconn);         oledbadapter.updatecommand.executenonquery();         dbconn.close();         if (addphotos.hasfiles)         {             //cmdstring = "update archive_decade_tbl set product_name='" + request.form["namebox"] + "', model_number='" + request.form["modelbox"] + "', year_introduced='" + request.form["startbox"] + "', year_discontinued='" + request.form["endbox"] + "', product_line='" + request.form["linebox"] + "', location='" + request.form["locationbox"] + "' " +             //"where archive_id_number=" + int.parse(request.form["archivebox"]);             var x = 0;             if (!system.io.directory.exists(server.mappath("includes/images/archives/" + request.form["archivebox"] + "_1")))             {                 system.io.directory.createdirectory(server.mappath("includes/images/archives/" + request.form["archivebox"] + "_1"));             }              string filepath = server.mappath("includes/images/archives/" + request.form["archivebox"] + "_1");             httpfilecollection uploadedfiles = request.files;              (int = 0; < uploadedfiles.count; i++)             {                 httppostedfile userpostedfile = uploadedfiles[i];                 if (userpostedfile.contentlength > 0)                 {                     string extension = path.getextension(userpostedfile.filename);                     //request.form["archivebox"] + "_" + same "image" column in image_tbl                     uploadedfiles[i].saveas(filepath + "/" + request.form["archivebox"] + "_" + (i + 1) + extension);                  }                 x++;             }             oledbconnection dbconn2 = new oledbconnection(connectionstring);             oledbdataadapter oledbadapter2;             dataset infods2 = new dataset();             try             {                 dbconn2.open();                 oledbadapter2 = new oledbdataadapter(cmd1, dbconn);                  string cmdstring2 = "insert archive_image_tbl (archive_id_number, model_number, location, image, number_of_images, image_file_type) values ('" + request.form["archivebox"].tostring() + "', '" + request.form["modelbox"].tostring() + "', '" + request.form["locationbox"].tostring() + "', '" + request.form["archivebox"].tostring() + "_1" + "', '" + uploadedfiles.count.tostring() + "', 'jpg');";                 testlbl.innertext = cmdstring2;                 oledbadapter2.insertcommand = new oledbcommand(cmdstring2, dbconn2);                  oledbadapter2.insertcommand.executenonquery();             }             catch (exception ex)             {              }         }      }         catch (exception ex)         {         }     }

right i'm getting there syntax error in insert statement dont know why because printed string label, copy/pasted access , did wanted

the syntax error caused column named image. reserved keyword ms-access , if use in code need encapsulate name between square brackets.

so start of insert query should written 

string cmdstring2 = @"insert archive_image_tbl (archive_id_number,      model_number, location, [image], number_of_images, image_file_type)       values ( .......)";

said that, please consider switching parameterized query because, is, @ start of sequence of possible syntax errors caused implicit conversion , parsing problems. , sql injection hacks

so example

string cmdstring2 = @"insert archive_image_tbl (archive_id_number,      model_number, location, [image], number_of_images, image_file_type)       values (@id, @num, @loc, @img, @imgnum, 'jpg')"; oledbcommand cmd = new oledbcommand(cmdstring2, con1); cmd.parameters.add("@id", oledbtype.varwchar).value = request.form["archivebox"].tostring(); ... , on other parameters placeholders  cmd.executenonquery();

remember use correct datatype parameters. if columns expects integer create parameter of oledbtype.integer , set value integer, same dates , floating point numbers.

by way, execute command don't need have oledbdataadapter.


-

Popular posts from this blog

php - How should I create my API for mobile applications (Needs Authentication) -

background so i've been researching quite bit past week api's , have been reading concepts , programming one. currently have website programmed in php using popular framework called laravel. website has user database , users able log dashboard on website, works want website side. now next project of business i'm focusing on creating mobile applications (ios & andriod).what need these mobile applications being able login through application ui (not being redirected site callback url) able view , manage dashboard. the method of authentication , authorization want use application go like client asks user login through ui user enters credentials client sends request login api the api checks if credentials correct api creates token stored in token database linked user id api returns 200 ok json response or this { "token" : "ols25usjiay81hdy81", "expiry" : 3/06/2016 14:00} client remembers token , expiry whenever user/c
Read more

5 Reasons to Blog Anonymously (and 5 Reasons Not To)

Image
This guest post is by Phil (not his real name) of somehighschoolblog . It used to be impossible to run a business anonymously. Sure, some authors could pull it off, but if you worked at an office, what were you supposed to do? Go to work with a bag over your head? But today anyone can accomplish this, because anyone can author a blog (and you thought I was going to tell you to work with a mask on, or something). Copyright Ovidiu Iordachi - Fotolia.com Depending on your motives, you may or may not have considered blogging anonymously. You probably didn’t contemplate blogging anonymously if: • your only motivation is to become “famous” • your blog connects to another part of your life • you are blogging to build more connections with your friends or boss. You should consider blogging anonymously if: • you’re planning on touching on a sensitive or taboo subject • you don’t want to be identified with your blog • you are worried about negative real-world consequences that could arise from y
Read more

Google AdWords and AdSense - A Dynamic Small Business Marketing Duo

Unless you have been living under a rock for the last year or so, you probably know that Google has become the king of the search engine hill. There are many reasons for this but number one in my opinion is that above all else they put value on content. Today I want to introduce you to two very powerful small business advertising options created by Google. These two ingenious programs have all but revolutionized the way advertising is done on the web. Warning: If you are thinking..."web advertising isn't for me, I just need a few more clients around the block"...you better read this or be prepared to have your competitors eat your lunch. Goolge AdSense - Again content is king at Google. This program allows web site "publishers" to add some code from Google and receive "content relevant" ads on their site from other site owners. Here is an example - those ads in the box on the right of the page are delivered by Google and are matched to the content
Read more