Home/ Questions/Q 8808711
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T02:41:26+00:00

I am using dateTimePicker to collect date from user in a windows form to

  • 0

I am using dateTimePicker to collect date from user in a windows form to insert in SQL Server Database but when i debug it it says “connot convert dateTime into string” here is the code

string Agent = FieldAgentCombo.Text;
            string Query = "INSERT INTO Comittment(Date,Field_Staff_Date,Detail,Priority,company_name,Name) values('" + Client + "','" + Agent + "','" + Date + "','" + FieldStaffDate + "','" + Detail + "','" + Priority + "')";

            SqlCommand cmd = new SqlCommand(Query, conn);

            int status = cmd.ExecuteNonQuery();
            if (status > 0)
                MessageBox.Show("record inserted");
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your code is vulnerable to SQL injection. I would recommend you using parametrized queries. Also in your SQL query you seem to have mixed the parameters. Make sure they are matching. For example:

    // load the values that you want to insert into standard .NET types
DateTime date = ...
DateTime fieldStaffDate = ...
string detail = ...
string priority = ...
string companyName = ...
string name = ...

// now connect to the database to execute the SQL query
using (var conn = new SqlConnection(ConnectionString))
using (var cmd = conn.CreateCommand())
{
    conn.Open();
    cmd.CommandText = 
    @"INSERT INTO Comittment(
          Date, 
          Field_Staff_Date, 
          Detail, 
          Priority, 
          company_name, 
          Name) 
      VALUES (
          @Date, 
          @Field_Staff_Date, 
          @Detail, 
          @Priority, 
          @company_name, 
          @name)";

    cmd.Parameters.AddWithValue("@Date", date);
    cmd.Parameters.AddWithValue("@Field_Staff_Date", fieldStaffDate);
    cmd.Parameters.AddWithValue("@Detail", detail);
    cmd.Parameters.AddWithValue("@Priority", priority);
    cmd.Parameters.AddWithValue("@company_name", companyName);
    cmd.Parameters.AddWithValue("@name", name);

    cmd.ExecuteNonQuery();
}

    This way the query is no longer vulnerable to SQL injection and in addition to that ADO.NET will take care of properly formatting the .NET types into the corresponding SQL types so that you don’t need to be doing any string parsing and date manipulations.

    • 0