0

When writing to an SQL database, I am receiving 'System.Web.UI.WebControls.TextBox' rather than the actual data itself.

upload.aspx.cs file (containing the query):

 string query = "INSERT INTO reports (birdname, location, details, image, spotteddata, uploaddata, typeofbird) VALUES ('"+birdnametext+"', 'mygarden', 'some details about how long you waited', ' " + img + "', '10th March 2014','" + dateNow + "', '2')";

upload.aspx (containing the textbox):

<header> Upload </header>
<p> Please fill out the form below to put your item up for sale</p>
<p>  
<span>Name of Bird:
<asp:TextBox ID="birdnametext" runat="server"></asp:TextBox> </span>
<br/>
<asp:FileUpload ID="FileUpload1" runat="server" />
<br />
<asp:Image ID="Image1" runat="server" />
<br />
Improve this question
3
  • study aspsnippets.com/Articles/… Commented May 6, 2016 at 19:03
  • 1
    Your code is vulnerable to SQL injection. Use parameterized queries to aviod. Commented May 6, 2016 at 19:24
  • I see all the answers posted are suggesting you use AddWithValue. Since you are using a pass through query this approach can become problematic. You would want to specify the datatype explicitly because sometimes it will get it wrong. blogs.msmvps.com/jcoehoorn/blog/2014/05/12/… Commented May 6, 2016 at 20:36

3 Answers 3

Reset to default
2

Their are may things you are doing wrong:

  1. You are trying to pass the TextBox itself to the database, you need to pass it's Text instead. That means ...'"+ birdnametext + "' ... should be ...'"+ birdnametext.Text + "' ...
  2. You are opening a wide door for injection through text queries, Use parameterised queries instead for this.

You can build the command like the following:

string query = "INSERT INTO reports(birdname, location) VALUES(@birdname, @location);
SqlCommand cmd = new SqlCommand("query,con);
cmd.Parameters.Add("@birdname", SqlDbType.VarChar).Value = birdnametext.Text;
cmd.Parameters.Add("@location", SqlDbType.VarChar).Value = "mygarden";
// similarly you can add the rest of columns and parameters 
cmd.ExecuteNonQuery();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You need to use the Text property of a TextBox to access its contents :

... + birdnametext.Text + ...

Parameterization, Not Concatenation

Additionally, when building queries, you do not want to use string concatenation as it can leave you vulnerable to things like SQL Injection and poor syntax. A better approach would be to use parameterization as seen below :

using(var connection = new SqlConnection("{your-connection-string}"))
{
     // Notice the use of parameters
     var query = "INSERT INTO reports (birdname, location, details, image, spotteddata, uploaddata, typeofbird) VALUES (@birdname, @location', @details, ' @uploadData, @someDate, @now, @x)";
     using(var command = new SqlCommand(query, connection))
     {
          connection.Open();
          // Read the bytes of your image here and store in a byte[]
          var imageData = File.ReadAllBytes(Image1.ImageUrl);
          // Add your parameters
          command.Parameters.AddWithValue("@birdName",birdnametext.Text);
          command.Parameters.AddWithValue("@location","mygarden");
          command.Parameters.AddWithValue("@details","some details about how long you waited");
          command.Parameters.AddWithValue("@uploadData",imageData);
          command.Parameters.AddWithValue("@someDate","10th March 2014");
          command.Parameters.AddWithValue("@now",DateTime.Now);        
          command.Parameters.AddWithValue("@x",2);  
          // Execute your query
          command.ExecuteNonQuery();
     }
}
Improve this answer

Comments

0

Change birdnametext to birdnametext.text in your sql statement

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.