Stupid Romeo Stupid Romeo - 6 months ago 36
Vb.net Question

Data from input box not inserting in to database

I made this form to insert information in database. I don't know where the error coming from. It's not inserting information from input fields to database.

Here's my code:

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim id, name, description, code, cat_industry, cat_theme, cat_occasion, cat_budget As String
id = product_id.Text
name = product_name.Text
description = product_description.Text
code = item_code.Text
cat_industry = industry.SelectedValue
cat_theme = theme.SelectedValue
cat_occasion = occasion.SelectedValue
cat_budget = budget.SelectedValue

Try
Dim str1 As String = "insert into product (ID, Product_Name, Product_Description, Item_Code, Industry, Theme, Occasion, Budget) values ('" + id + "', '" + name + "', '" + description + "', '" + code + "', '" + cat_industry + "', '" + cat_theme + "', '" + cat_occasion + "', '" + cat_budget + "')"
con.Open()
Dim cmd As New SqlCommand(str1, con)
cmd.ExecuteNonQuery()
con.Close()
Catch ex As Exception
Response.Write(ex)
End Try
End Sub

Answer

Your column names can't be referenced as Product Name and Product Description with a space - you will need to escape it as [Product Name], [Product Description] etc.

But please refrain from inserting data directly - instead you should be parameterizing your input variables. This has benefits from both a performance and security (Sql Injection) perspective.

 Dim str1 As String = "insert into product (ID, [Product Name], [Product Description], Item_Code, etc) " _
                      " values (@id, @name, @description, @code, etc)"
 con.Open()
 Dim cmd As New SqlCommand(str1, con)
 cmd.Parameters.AddWithValue("@id", id )
 cmd.Parameters.AddWithValue("@name", name )
 ... etc
 cmd.ExecuteNonQuery()