A couple of things. When sharing code it is good to highlight the code and press the </> button on the toolbar. This will format the code nicely and make it far more readable.
The second thing, From a security point of view it is very very dangerous to write SQL code in by concatenating strings together like this. By cleverly entering bad data into your application the application could be used to do things like βerase your entire databaseβ, βshare any data that is contained in the database with the hackerβ. You need to look at SQL Injection. It is very real and happens frequently.
One of the best ways of preventing this is to use prepared statements. They also make your live easier because you donβt have to worry things such as quoting strings and adjusting for stange characters in you source data (such as " and β ).
The simple guide. Instead of:
sql = βINSERT INTO StoreDetails (ID, OwnersName, OwnersSurname, OwnersEmail, OwnersPhone, OwnersAddress1, OwnersAddress2, OwnersAddress3, OwnersCityStateRegion, OwnersPostalCode, SiteName, SitePhone, SiteEmail, SiteAddress1, SiteAddress2, SiteAddress3, SiteCityStateRegion, SitePostalCode) VALUES ('β+txtOwnersName.Text+β', 'β+txtOwnersSurname.Text+β', 'β+txtOwnersEmail.Text+β', 'β+txtOwnersPhone.Text+β', 'β+txtOwnersAddress1.Text+β', 'β+txtOwnersAddress2.Text+β', 'β+txtOwnersAddress3.Text+β', 'β+txtOwnersCityStateRegion.Text+β', 'β+txtOwnersPostalCode.Text+β', 'β+txtSiteName.Text+β', 'β+txtSitePhone.Text+β', 'β+txtSiteEmail.Text+β', 'β+txtSiteAddress1.Text+β', 'β+txtSiteAddress2.Text+β', 'β+txtSiteAddress3.Text+β', 'β+txtSiteCityStateRegion.Text+β', 'β+txtSitePostalCode.Text+β');β
you do the following:
sql = βINSERT INTO StoreDetails (ID, OwnersName, OwnersSurname, OwnersEmail, OwnersPhone, OwnersAddress1, OwnersAddress2, OwnersAddress3, OwnersCityStateRegion, OwnersPostalCode, SiteName, SitePhone, SiteEmail, SiteAddress1, SiteAddress2, SiteAddress3, SiteCityStateRegion, SitePostalCode) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);β
Thatβs a ? for each parameter. You then call ExecuteSQL and pass in the values you wish to include.
db.ExecuteSQL( sql, txtOwnersName.Text, txtOwnersSurname.Text, txtOwnersEmail.Text, txtOwnersPhone.Text, txtOwnersAddress1.Text, txtOwnersAddress2.Text, txtOwnersAddress3.Text, txtOwnersCityStateRegion.Text, txtOwnersPostalCode.Text, txtSiteName.Text, txtSitePhone.Text, txtSiteEmail.Text, txtSiteAddress1.Text, txtSiteAddress2.Text, txtSiteAddress3.Text, txtSiteCityStateRegion.Text, txtSitePostalCode.Text )
If is so much safer.