Insert data into related tables C # [duplicated]

Question

Insert data into related tables C # [duplicated]

Navigation

#1 by (2 votes)
#2 by (1 votes)

0

I want to store it in a table called movies, where it has a foreign key, gen_id.

In the table generos I have populated with 4 genres.

Now in C # I have the SQL command step by string but it tells me that there is an error in the foreign key gen_id.

 public void Registrar()
        {
            try
            {
                SqlConnection conexion = new SqlConnection("server=EMILIANO-PC ; database=VideoClub ; integrated security = true");
                conexion.Open();
                string cadena = "insert into pelicula(nombre_pelicula,web_pelicula,descripcion,anio,idgenero) values ('" + txtnombre.Text.Trim() + "','" + txtweb.Text.Trim() + "' , '" + txtdescripcion.Text.Trim() + "', '" + txtanio.Text + " ', '" + comboBox1.SelectedValue + " ')";
                SqlCommand comando = new SqlCommand(cadena, conexion);
                comando.ExecuteNonQuery();
                MessageBox.Show("Los datos se guardaron correctamente");

                conexion.Close();
            }

            catch (Exception exception)
            {
                MessageBox.Show(exception.ToString());

            }
        }

now the error that comes to me is the following:

Add .ToString to the SelectValue

sql c#

asked by Ibarra Emiliano 13.11.2018 в 03:59

source

2 answers

Is it correct to create a class with static methods to connect to a MySQL database? Put a query in text boxes

score 2 · Answer 1

The way you are doing the query is susceptible to a inyección SQL for security you must work with prepared queries.

The error that is generating you probably has to do with SelectedValue . You must place a breakpoint at the beginning of the method and go step by step reviewing the properties of the objects and controls, ensuring that none are arriving null .

using (SqlConnection cnx = new SqlConnection("server=EMILIANO-PC; database=VideoClub; integrated security=true"))
{
    using (SqlCommand cmd = new SqlCommand("INSERT INTO pelicula(nombre_pelicula,web_pelicula,descripcion,anio,idgenero) VALUES (@nombre,@web,@descripcion,@anio,@valorSelect)", cnx))
    {
        cmd.Parameters.AddWithValue("@nombre", txtnombre.Text.Trim());
        cmd.Parameters.AddWithValue("@web", txtweb.Text.Trim());
        cmd.Parameters.AddWithValue("@descripcion", txtdescripcion.Text.Trim());
        cmd.Parameters.AddWithValue("@anio", txtanio.Text);
        cmd.Parameters.AddWithValue("@valorSelect", comboBox1.SelectedValue);
        cmd.ExecuteNonQuery();
    }
}

score 1 · Answer 2

Hello my recommendation is that you use 'SqlCommand.Parameters, why use this property: Usually the variables that we insert in the database come from a text box, which means that in your case is exposed to attacks malicious on the user's side.

This is an example of how you can implement it since it would be much easier to read the code I hope this helps you.

public void Registrar()
{
    try
    {
        using(SqlConnection conexion = new SqlConnection("server=EMILIANO-PC ; database=VideoClub ; integrated security = true"));
        {
            conexion.Open();
            string cadena = @"insert into pelicula(nombre_pelicula,web_pelicula,descripcion,anio,idgenero) 
                            values(@nombre,@web,@descripcion,@anio,@valorSelect)";                   
            SqlCommand comando = new SqlCommand(cadena, conexion);
            comando.CommandType = CommandType.Text;
            comando.Parameters.AddWithValue("@nombre", txtnombre.Text.Trim());
            comando.Parameters.AddWithValue("@web", txtweb.Text.Trim());
            comando.Parameters.AddWithValue("@descripcion", txtdescripcion.Text.Trim());
            comando.Parameters.AddWithValue("@anio", txtanio.Text);
            comando.Parameters.AddWithValue("@valorSelect", comboBox1.SelectedValue);

            comando.ExecuteNonQuery();
            MessageBox.Show("Los datos se guardaron correctamente");

            conexion.Close();
        }
    }
    catch (Exception exception)
    {
        MessageBox.Show(exception.ToString());
    }
}

also remember to check the variables with unit tests, to ensure that the value is what you need.