-2

So I am trying to make a form for people to insert some values and then save it into a database. For example when I type in "a" into a form and click save I get an error saying Invalid column name 'a'. I get that for every string input, but not for numbers. Does it have something to do with the column in the database being varchar and I am using string in c# or something like that? This is my code for getting form input:

private void btnGotovo_Click(object sender, EventArgs e)
        {
            bool provjera = ProvjeraUnosa();
            if(provjera)
            {
                object idZaposlenika = cboZaposlenik.SelectedValue;
                int IdZaposlenika = (int) idZaposlenika;
                string opis = txtOpis.Text;
                string ponuditelj_1 = txtPonuditelj1.Text;
                float cijena_bez_pdv_1 = float.Parse(txtCijenaBezPDV1.Text, new CultureInfo("en-US"));
                float cijena_sa_pdv_1 = float.Parse(txtCijenaSaPDV1.Text, new CultureInfo("en-US"));
                string odabrano_1 = txtOdabrano1.Text;
                string ponuditelj_2 = txtPonuditelj2.Text;
                float cijena_bez_pdv_2 = float.Parse(txtCijenaBezPDV2.Text, new CultureInfo("en-US"));
                float cijena_sa_pdv_2 = float.Parse(txtCijenaSaPDV2.Text, new CultureInfo("en-US"));
                string odabrano_2 = txtOdabrano2.Text;
                object idFinanciranja = cboFinanciranje.SelectedValue;
                int IdFinanciranja = (int)idFinanciranja;
                int broj_projekta = int.Parse(txtBrojProjekta.Text);
                string naziv_projekta = txtNazivProjekta.Text;
                string voditelj_projekta = txtVoditeljProjekta.Text;
                string dodatno = txtDodatno.Text;
                //DateTime datum = DateTime.Now;
                NarudzbenicaRepository.InsertNarudzbenica(IdZaposlenika, opis, ponuditelj_1, cijena_bez_pdv_1, cijena_sa_pdv_1, odabrano_1, ponuditelj_2, cijena_bez_pdv_2, cijena_sa_pdv_2, odabrano_2, IdFinanciranja, broj_projekta, naziv_projekta, voditelj_projekta, dodatno);
                Close();
            }
        }

ProvjeraUnosa() function is just for checking if inputs are entered and in the right format.

And this is my code for writing the sql query:

public static void InsertNarudzbenica(int idZaposlenika, string opis, string ponuditelj_1, float cijena_bez_pdv_1, float cijena_sa_pdv_1, string odabrano_1, string ponuditelj_2, float cijena_bez_pdv_2, float cijena_sa_pdv_2, string odabrano_2, int idFinanciranja, int broj_projekta, string naziv_projekta, string voditelj, string dodatno)
        {
            //string sql = $"INSERT INTO Narudzbenica (id_zaposlenika, opis_predmeta_nabave, ponuditelj_1, cijena_bez_pdv_1, cijena_sa_pdv_1, odabrana_1, ponuditelj_2, cijena_bez_pdv_2, cijena_sa_pdv_2, odabrana_2, id_financiranja, broj_projekta, naziv_projekta, voditelj_projekta, dodatno) VALUES ({idZaposlenika}, {opis}, {ponuditelj_1}, {cijena_bez_pdv_1}, {cijena_sa_pdv_1}, {odabrano_1}, {ponuditelj_2}, {cijena_bez_pdv_2}, {cijena_sa_pdv_2}, {odabrano_2}, {idFinanciranja}, {broj_projekta}, {naziv_projekta}, {voditelj}, {dodatno})";
            string sql = $"INSERT INTO Narudzbenica VALUES ({idZaposlenika}, {opis}, {ponuditelj_1}, {cijena_bez_pdv_1}, {cijena_sa_pdv_1}, {odabrano_1}, {ponuditelj_2}, {cijena_bez_pdv_2}, {cijena_sa_pdv_2}, {odabrano_2}, {idFinanciranja}, {broj_projekta}, {naziv_projekta}, {voditelj}, {dodatno})";
            DB.OpenConnection();
            DB.ExecuteCommand(sql);
            DB.CloseConnection();
        }

I am new to c# and working with an sql database so this might be trivial but thanks for your help!

SatanasHammer
  • 7
  • 2
  • 5
    Do not use string concatenation to create an SQL command. Use parameterized statements. See [why it's a bad idea and how to fix it](//bobby-tables.com). – gunr2171 May 27 '22 at 17:50
  • 2
    Typo, values need to be quoted in your command. But please ignore that last sentence and instead use parameters, which will properly fix the issue. You should also specify the columns you are inserting the values into, otherwise the wrong value might be inserted into the wrong column. – gunr2171 May 27 '22 at 17:51
  • @gunr2171 Thanks so much it was a typo. Also I get that it's vulnerable to SQL injection but it's a small college homework so that is not a big deal hahah. Thanks again! – SatanasHammer May 27 '22 at 18:34
  • 2
    No, it's really a big deal. A college assignment is the perfect place to learn how to do things correctly. If you're cutting corners now, no one is going to want to hire you in the future. – gunr2171 May 27 '22 at 18:38
  • 2
    It requires practically no extra code/effort to use parameterized queries, and if you had been using parameterized queries this issue wouldn't have happened, so you wouldn't have wasted your time putting together a SO question, and everybody would have been better off. Use this as an opportunity to develop good coding habits. – StriplingWarrior May 27 '22 at 18:46
  • It's never too early to start doing something properly. The longer you adopt a bad habit the more reluctant you'll be to change it.. – Caius Jard May 27 '22 at 19:42
  • There are lots of other things you can do to improve your SQL life; one you have this down and sorted look at a Dapper tutorial; it take a huge amount of the pain out of querying properly, parameters, etc. You can also go the next level up and take most of the pain out of writing the queries at all with Entity Framework – Caius Jard May 27 '22 at 19:46

0 Answers0