Inserting dates into SQL Server DB

[Andrew Banks]

I'm running the following code in a C#.NET page and it doesn't enter the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's the
slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial catalog=Friends; user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Miha Markic]

Hi Andrew,

You might consider using parametrised commands.
See SqlCommand.Parameters property..

 

[William Ryan]

I'm with Miha. You can accomplish the same thing with Parameters and not
add another line of code. You'll get better performance and you won't have
to worry about injection attacks or names like O'Malley.

Since you're using SQL Server..this mod will start it

sb.Append("VALUES (@FirstParamName, @SecondParamName, @ThirdParamName etc)

THen, add the parameters...

cmd.Parameters.Add("@FirstParamName", SqlDbType.DateTime).Value = (Date)
txtBirthday.Text;
(I know Birthday doesn't correspond with the first paramater, but just
wanted to show you how it works.) From what I can see, it's all upside for
using Parameters instead (and this looks ripe for a Stored Procedure).....
http://www.knowdotnet.com/articles/storedprocsvb.html

Good Luck,

Bill

I'm running the following code in a C#.NET page and it doesn't enter the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's the
slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial catalog=Friends; user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Andrew Banks]

Miha,

Thanks for your inout. I'm not too sure what to do with this. I'm quite new
to .NET and am working through a Wrox book - it's actually one of their
tutorials thats causing me the error!

Would you mind giving a little more explanation please.

Thanks

Hi Andrew,

You might consider using parametrised commands.
See SqlCommand.Parameters property..

--
Miha Markic - RightHand .NET consulting & development
miha at rthand com
www.rthand.com

I'm running the following code in a C#.NET page and it doesn't enter the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's the
slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial catalog=Friends; user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Joey Powell]

Andrew, dates must be enclosed within single quotes in all SQL
statements. Parameter {10} below is for DateofBirth and is not
enclosed in single quotes. You should wrap it in single quotes like
you did for the first few parameters (i.e. '{10}'). HTH JP

 

[Andrew Banks]

Joey, dose this statement further down the code cover that?

if (txtBirth.Text != string.Empty)
values.Add("'" + txtBirth.Text + "'");
else
values.Add("Null");

Andrew, dates must be enclosed within single quotes in all SQL
statements. Parameter {10} below is for DateofBirth and is not
enclosed in single quotes. You should wrap it in single quotes like
you did for the first few parameters (i.e. '{10}'). HTH JP

"Andrew Banks" <[email protected]> wrote in message

I'm running the following code in a C#.NET page and it doesn't enter the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's the
slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial catalog=Friends; user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Miha Markic]

Hi Andrew,

If I remember the format 'yyyymmdd' is the most universal for this (it isn't
regional settings dependent)

--
Miha Markic - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

Joey, dose this statement further down the code cover that?

if (txtBirth.Text != string.Empty)
values.Add("'" + txtBirth.Text + "'");
else
values.Add("Null");

Andrew, dates must be enclosed within single quotes in all SQL
statements. Parameter {10} below is for DateofBirth and is not
enclosed in single quotes. You should wrap it in single quotes like
you did for the first few parameters (i.e. '{10}'). HTH JP

"Andrew Banks" <[email protected]> wrote in message

I'm running the following code in a C#.NET page and it doesn't enter the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's the
slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial

catalog=Friends;

user

 

[Andrew Banks]

Thanks Miha.

Will a Date/Time field in a SQL Server 2000 database accept this format?

Hi Andrew,

If I remember the format 'yyyymmdd' is the most universal for this (it isn't
regional settings dependent)

--
Miha Markic - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

Joey, dose this statement further down the code cover that?

if (txtBirth.Text != string.Empty)
values.Add("'" + txtBirth.Text + "'");
else
values.Add("Null");

Andrew, dates must be enclosed within single quotes in all SQL
statements. Parameter {10} below is for DateofBirth and is not
enclosed in single quotes. You should wrap it in single quotes like
you did for the first few parameters (i.e. '{10}'). HTH JP

"Andrew Banks" <[email protected]> wrote in message

I'm running the following code in a C#.NET page and it doesn't enter the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's the
slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial

catalog=Friends;

user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Miha Markic]

Hi Andrew,

Yes, it should.

--
Miha Markic - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

Thanks Miha.

Will a Date/Time field in a SQL Server 2000 database accept this format?

Hi Andrew,

If I remember the format 'yyyymmdd' is the most universal for this (it isn't
regional settings dependent)

--
Miha Markic - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

Joey, dose this statement further down the code cover that?

if (txtBirth.Text != string.Empty)
values.Add("'" + txtBirth.Text + "'");
else
values.Add("Null");

Andrew, dates must be enclosed within single quotes in all SQL
statements. Parameter {10} below is for DateofBirth and is not
enclosed in single quotes. You should wrap it in single quotes like
you did for the first few parameters (i.e. '{10}'). HTH JP

I'm running the following code in a C#.NET page and it doesn't

enter
the

values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think

it's
the

slashes(/) that are causing the problem. If I don't enter a DOB in this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}',
'{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial catalog=Friends;
user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may
already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Andrew Banks]

Thanks Miha,

I'm at work at the moment snowed under with PHP so will give this a try when
I get home tonight.

Hi Andrew,

Yes, it should.

--
Miha Markic - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

Thanks Miha.

Will a Date/Time field in a SQL Server 2000 database accept this format?

Hi Andrew,

If I remember the format 'yyyymmdd' is the most universal for this (it isn't
regional settings dependent)

--
Miha Markic - RightHand .NET consulting & software development
miha at rthand com
www.rthand.com

Joey, dose this statement further down the code cover that?

if (txtBirth.Text != string.Empty)
values.Add("'" + txtBirth.Text + "'");
else
values.Add("Null");

Andrew, dates must be enclosed within single quotes in all SQL
statements. Parameter {10} below is for DateofBirth and is not
enclosed in single quotes. You should wrap it in single quotes like
you did for the first few parameters (i.e. '{10}'). HTH JP

I'm running the following code in a C#.NET page and it doesn't enter
the
values into the DB. I'm certain the problem is to do with the txtBirth
field. It allows users to enter a DOB as dd/mm/yyyy and I think it's
the
slashes(/) that are causing the problem. If I don't enter a DOB in
this
field then all the data enters into the database without a problem.

Any ideas?

SQL Server 2000, VS.NET, C#

if (Page.IsValid)

{

// Save the new user to the database

SqlConnection con;

string sql;

SqlCommand cmd;

StringBuilder sb = new StringBuilder();

ArrayList values = new ArrayList();

sb.Append("INSERT INTO [User] ");

sb.Append("(UserID, Login, Password, FirstName, LastName, ");

sb.Append("PhoneNumber, Email, IsAdministrator, Address, ");

sb.Append("CellNumber, DateOfBirth) ");

sb.Append("VALUES ('{0}', '{1}', '{2}', '{3}', '{4}', '{5}', '{6}',
'{7}',
");

// Optional values without quotes as they can be null

sb.Append("{8}, {9}, {10})");

// Add required values to replace

values.Add(Guid.NewGuid().ToString());

values.Add(txtLogin.Text);

values.Add(txtPwd.Text);

values.Add(txtFName.Text);

values.Add(txtLName.Text);

values.Add(txtPhone.Text);

values.Add(txtEmail.Text);

values.Add(0);

// Add the optional values or Null

if (txtAddress.Text != string.Empty)

values.Add("'" + txtAddress.Text + "'");

else

values.Add("Null");

if (txtMobile.Text != string.Empty)

values.Add("'" + txtMobile.Text + "'");

else

values.Add("Null");

if (txtBirth.Text != string.Empty)

values.Add("'" + txtBirth.Text + "'");

else

values.Add("Null");

// Format the string with the array of values

sql = String.Format(sb.ToString(), values.ToArray());

// Connect and execute the SQL

con = new SqlConnection("data source=127.0.0.1;initial
catalog=Friends;
user
id=sa;");

cmd = new SqlCommand(sql, con);

con.Open();

bool doredirect=true;

try

{

cmd.ExecuteNonQuery();

}

catch

{

doredirect = false;

this.lblMessage.Visible = true;

//this.lblMessage.Text = "Insert couldn't be performed. Username may
already
be taken.";

this.lblMessage.Text = sql;

}

finally

{

con.Close();

}

if (doredirect)

Response.Redirect("Login.aspx");

}



else

lblMessage.Text = "Fix the following errors and retry:";

}

 

[Andrew Banks]

The author of the book replied to an email today but I'm not sure where to
change these settings. Can anyone shed any light?
Where do I change this and what are the global settings?

"Wrox ceased to exist. Therefore, there's no site, no errata, no nothing.
Unfortunately.
I can certainly say that probably your problem is with the date format. It
must match the format on your global configuration. If it doesn't work, try
another one, such as dd-MM-YYYY, MM-dd-YYYY, etc."

 

[Andrew Banks]

Thanks for all your help I've got around the problem by validating the text
box against a regular expression that will only accept the date in a "7
January 2004" format.