I m trying to save the date to mysql from jquery *DatePicker* from C#
string datetime = txtDate.Text + " " + time;//05/11/2011 5:30 pm
string getSQL1 =
"INSERT into tblconcertdetail
(Address, City, Pincode, Country, Concert_Date)
VALUES ('" + addr + "','" + txtCCity.Text + "','" + txtCpincode.Text + "','" +
ddlCCountry.SelectedItem.Text + "','" + Convert.DateTime(datetime) + "')";
Here getsql1 shows me the date field filled but in database it stores 0000-00-00 00:00 value.
I m not getting why it is so.
I also try convert.ToString(datetime) to.
As mentioned in comments, you have to use parameters for 2 reasons:
Prevent SQL Injections.
Handle data type conversions. In your case, handling the .NET DateTime type to its equivalent value in database.
Related
String query6 = "
SELECT p.*,SUM(L.qty)as sales
FROM product p,purchaseLog L
WHERE L.purchaseDate
BETWEEN '"+ startDate.Value.Date.ToString("yyyy-dd-MM") + "'
AND '"+endDate.Value.Date.ToString("yyyy-dd-MM") +"'
AND p.id=l.itemID GROUP BY p.product_name
ORDER BY sales ASC LIMIT " + " " + " " + count + "";
This is the query that I made in Visual Studio. I tried inputting this query manually without variables in phpmyadmin and it works just fine. But for some reason when I write the query down and pass it to a mysqlcommand and mysqldatareader it doesn't detect the date. The count used not work too. But adding space in between the word "limit" and the count made it work.
Is C# trimming some parts of my queries?
This: 'yyyy-dd-MM' is the wrong format. It must be "yyyy-MM-dd". Ideally you'd even prefix this with the word DATE so as to mark the string as a date literal:
" ... WHERE L.purchaseDate BETWEEN DATE '" + startDate.Value.Date.ToString("yyyy-MM-dd") +
"' AND DATE '" + endDate.Value.Date.ToString("yyyy-MM-dd") + "'... "
I don't know why the date and time is not saving on my Access Database. I follow some tutorial but it seems I'm having some problems on my code.
DateTime getdate = DateTime.Now;
String time = getdate.ToString("F");
and when I add
OleDbCommand cmdInsert = new OleDbCommand(#"insert into TblInventory (ItemCode,ProductName,Quantity,DateTime)
values ('" + txtItem.Text + "','" + txtProduct.Text + "','" + txtQuantity.Text + "','" + time +"')");
cmdInsert.Connection = con;
cmdInsert.ExecuteNonQuery();
Im stock. please help. thanks guys
The error says that there are problem on the insert into statement
Name of your column is DateTime which is a keyword. You need to change name of column. Also use Parameterized query don't concatenate strings in query.
List of reserved words.
I have an issue with sorting dates in DataGridView, i am adding data to access db like this
DateTime act_date = DateTime.Today;
DateTime op_date = dateTimePicker1_txt.Value.Date;
command.CommandText = "insert into data (client,operation,op_time,ac_user,actual_date,operation_date,price) values('" + client_box.Text + "','" + operation_box.Text + "','" + time_txt.Text + "','" + emp_box.Text + "','" + act_date + "','" + op_date.ToShortDateString() + "','" + price_txt.Text + "')";
and then load data to datagridview, in database it look fine, i can sort like a date, but in DGV is always sorted like a number e.g.
16.12.2015 0:00
26.4.2016 0:00
31.3.2016 0:00
4.2.2016 0:00
i have to use central europe format
i want to hide the minute and second, but it work just when i put data to database like a string
i am loading dgv like this this.dataTableAdapter.Fill(this.akmv_dbDataSet.data);
DGV look like this
https://i.imgur.com/qfXHHkH.png
please help, i am lost
I am trying to convert a textbox text into a DateTime so that I can insert it into the database table into a datetime column.
Here is my code
bookingfromdate text is "08/07/2015 03:00:00 pm"
DateTime bookingfrom = DateTime.ParseExact(bookingfromdate.Text.ToString(),
"dd/MM/yyyy h:mm:ss tt", new CultureInfo("en-US"),DateTimeStyles.None);
The value of bookingfrom is 08/07/2015 15:00:00 and when I insert it in the database, it is throwing an exception:
The conversion of a varchar data type to a datetime data type resulted in an out-of-range value.The statement has been terminated.
Please help.
and the Insert query is
string sql = "Insert into ITResources_Booking (ResourceID,BookingFrom,BookingTo)
Values (" + Convert.ToInt32(ddControl.SelectedItem.Value.ToString())
+ ",'" + bookingfrom + "','" + bookingto + "')";
Always try to use parameterized queries to avoid SQL Injection
In your query you are converting date time to string again like #Matt Johnson said don't do that.
If you are doing please specify the format of date you are supplying because sql always expect date format in MM/dd/yyyy , yyyy-MM-dd etc formats if the date you supplying is 25/10/2015 it will fail because 25 is not a valid month
So if you are still stick with your query try below
string sql = "Insert into ITResources_Booking (ResourceID,BookingFrom,BookingTo)
Values (" + Convert.ToInt32(ddControl.SelectedItem.Value.ToString())
+ ",'" + bookingfrom.ToString("dd/MM/yyyy HH:mm:ss") + "','" +
bookingto.ToString("dd/MM/yyyy HH:mm:ss") + "')";
OR
string sql = "Insert into ITResources_Booking (ResourceID,BookingFrom,BookingTo)
Values (" + Convert.ToInt32(ddControl.SelectedItem.Value.ToString())
+ ",'" + bookingfrom.ToString("yyyy-MM-dd HH:mm:ss") + "','" +
bookingto.ToString("yyyy-MM-dd HH:mm:ss") + "')";
The error indicates that you're converting the DateTime back to a string when you pass it along to the database. As shown in your insert query, you are passing it inline the SQL query instead of passing it as a parameter.
The simple answer is: don't do that.
Parameterize your inputs. It will help with your dates, and it will prevent SQL Injection attacks.
Your SQL statement should look like this:
string sql = "INSERT INTO Resources_Booking (ResourceID, BookingFrom, BookingTo) VALUES (#ResourceID, #BookingFrom, #BookingTo)";
Then you should add the actual values as parameters when you execute the statement.
var command = new SqlCommand ...etc...
command.CommandText = sql;
command.Parameters.AddWithValue("#ResourceID", theResourceId);
command.Parameters.AddWithValue("#BookingFrom", bookingFrom);
command.Parameters.AddWithValue("#BookingTo", bookingTo);
...
your bookingfrom is DateTime,why you don not use DbParameter?or you can have a try below
string sql = "Insert into ITResources_Booking (ResourceID,BookingFrom,BookingTo) Values (" + Convert.ToInt32(ddControl.SelectedItem.Value.ToString()) + ",'" + bookingfrom.ToString("YYYY-MM-dd HH:mm:ss") + "','" + bookingto + "')";
I have below code:
query = "insert into tblB2B_OrderStatusTopStillInRB (LSRNbr, ShipName, Units, DroppedInRB, EPT, Status, OnTimeStatus, ShipVia, DroppedInRB_Order, RealEPT) ";
query += "values ('"
+ ListOrdStatusTopInRB[i].LSRNbr + "','"
+ ListOrdStatusTopInRB[i].ShipName + "',"
+ ListOrdStatusTopInRB[i].Units + ",'"
+ ListOrdStatusTopInRB[i].DroppedInRB + "','"
+ ListOrdStatusTopInRB[i].EPT + "','"
+ ListOrdStatusTopInRB[i].Status + "','"
+ ListOrdStatusTopInRB[i].OnTimeStatus + "','"
+ ListOrdStatusTopInRB[i].ShipVia + "','"
+ ListOrdStatusTopInRB[i].DroppedInRB_Order + "','"
+ ListOrdStatusTopInRB[i].RealEPT + "')";
cmd.CommandText = query;
cmd.ExecuteNonQuery();
And I just realized, that when the ShipName has a value with a single quotation mark, is causing an error in the insert statement, for instance: int'l Transp.
Is there any way to fix that, without removing the single quotation mark from the string?
I was trying using the following but didn't work:
cmd.CommandText = #query
+ #ListOrdStatusTopInRB[i].ShipName + "',"
Any ideas?
Is there any way to fix that, without removing the single quotation mark from the string?
Yes - use parameterized SQL instead. You should never use variable values directly in your SQL like this. It can allow SQL injection attacks, cause conversion oddities, and generally make the SQL more confusing to read.
See the documentation for SqlCommand.Parameters for an example of parameterized SQL.
Basically, the idea is that your SQL includes references to parameters, e.g.
INSERT INTO SomeTable(Foo, Bar) VALUES (#Foo, #Bar)
and then you specify the values for #Foo and #Bar separately. The values then aren't part of the SQL itself, so it doesn't matter whether or not they contain characters which would have special meaning within the SQL.