Error when storing a file in SQL

Navigation
0

Hi, I am trying to make a query INSERT from C # when I parcer I have a syntax error, but I do not see it. Could someone tell me if I can notice what it is, or what am I doing wrong? 

//KyoTest
[HttpPost]
public JsonResult KyoTest(testsoru obj) {


  string cs = "Data Source=DMX87025;Initial Catalog=DB_PCC;Integrated Security=True";

  //HttpPostedFileWrapper file = test.file; //No es necesario lo pongas en una variable, pero lo pongo para mostrar el tipo de dato

  string query = "INSERT INTO Testsoru ([Name],[Wiw],[Formato],[Size],[FName],[Type])" +
    " VALUES ( " + obj.name + "," + obj.wiw + "," + obj.formato + "" +
    "," + obj.size + "," + obj.fname + ", " + obj.ftype + ")";


  System.Console.WriteLine("---------------------------AQUI!!!!!!!----------------------------" + query);
  using(SqlConnection con = new SqlConnection(cs)) {
    SqlCommand cmd = new SqlCommand(query, con);

    con.Open();
    cmd.ExecuteNonQuery();
    con.Close();

  }

  return Json(new {
    success = true, message = "Success Baby Doll :* ;)"
  }, JsonRequestBehavior.AllowGet);

}

    
asked by E.Rawrdríguez.Ophanim 07.11.2017 в 21:29
source

2 answers

3

The safest thing is that you have varchar type columns and you are not saving it as such. The varchar values must be within single quotes '' .

Suppose that [Name], [Format] and [FName] are varchar, then it would be like this: 

  string query = "INSERT INTO Testsoru ([Name],[Wiw],[Formato],[Size],[FName],[Type])" +
    " VALUES ( '" + obj.name + "', " + obj.wiw + ",'" + obj.formato + "'" +
    "," + obj.size + ",'" + obj.fname + "', " + obj.ftype + ")";

Now, your code is very vulnerable because of the sql injections, so you change it using parameters for the values and thus execute the query in a secure way: 

[HttpPost]
public JsonResult KyoTest(testsoru obj) {


  string cs = "Data Source=DMX87025;Initial Catalog=DB_PCC;Integrated Security=True";

  //HttpPostedFileWrapper file = test.file; //No es necesario lo pongas en una variable, pero lo pongo para mostrar el tipo de dato

  string query = "INSERT INTO Testsoru ([Name],[Wiw],[Formato],[Size],[FName],[Type])" +
    " VALUES (@name,@wiw,@formato,@size,@fName,@fType)";


  System.Console.WriteLine("---------------------------AQUI!!!!!!!----------------------------" + query);
  using(SqlConnection con = new SqlConnection(cs)) {
    SqlCommand cmd = new SqlCommand(query, con);

    cmd.Parameters.AddWithValue("@name",  obj.name ?? String.Empty);
    cmd.Parameters.AddWithValue("@wiw",  obj.wiw);
    cmd.Parameters.AddWithValue("@formato",  obj.formato ?? String.Empty);
    cmd.Parameters.AddWithValue("@size",  obj.size);
    cmd.Parameters.AddWithValue("@fName",  obj.fname ?? String.Empty);
    cmd.Parameters.AddWithValue("@fType",  obj.ftype);
    con.Open();
    cmd.ExecuteNonQuery();
    con.Close();

  }

  return Json(new {
    success = true, message = "Success Baby Doll :* ;)"
  }, JsonRequestBehavior.AllowGet);

}
    
answered by 07.11.2017 / 21:39
source
1

As I see you are trying to insert fields of type varchar or similar in the BD, you must enter them in single quotes, for example: 

string query = "INSERT INTO Testsoru ([Name],[Wiw],[Formato],[Size],[FName],[Type])" +
" VALUES ('" + obj.name + "','" + obj.wiw + "','" + obj.formato + "" +
"'," + obj.size + ",'" + obj.fname + "','" + obj.ftype + "')";

If you have numeric fields NO they should go with single quotes.

I hope it serves you.

    
answered by 07.11.2017 в 21:38
Does not the "hidden-md-down" class exist in the new bootstrap 4? Query with 3 tables