Hi democloud,
Use parameterized query instead of directly passing value inline query.
Please refer below sample.
HTML
Name
<br />
<asp:TextBox ID="txtName" runat="server"></asp:TextBox>
<br />
Country
<br />
<asp:TextBox runat="server" ID="txtCountry"></asp:TextBox>
<br />
<asp:Button Text="Insert" runat="server" OnClick="Insert" />
<br />
<asp:GridView runat="server" ID="gvCustomers" AutoGenerateColumns="false">
<Columns>
<asp:BoundField DataField="CustomerId" HeaderText="CustomerId" />
<asp:BoundField DataField="Name" HeaderText="Name" />
<asp:BoundField DataField="Country" HeaderText="Country" />
</Columns>
</asp:GridView>
Namespaces
C#
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
VB.Net
Imports System.Data.SqlClient
Imports System.Data
Code
C#
protected void Page_Load(object sender, EventArgs e)
{
if (!this.IsPostBack)
{
this.gvCustomers.DataSource = GetDataTable();
this.gvCustomers.DataBind();
}
}
public DataTable GetDataTable()
{
string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
using (SqlConnection con = new SqlConnection(constr))
{
using (SqlCommand cmd = new SqlCommand("SELECT CustomerId, Name, Country FROM Customers", con))
{
using (SqlDataAdapter da = new SqlDataAdapter(cmd))
{
DataTable dt = new DataTable();
da.Fill(dt);
return dt;
}
}
}
}
protected void Insert(object sender, EventArgs e)
{
string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
using (SqlConnection con = new SqlConnection(constr))
{
using (SqlCommand cmd = new SqlCommand("INSERT INTO Customers(Name,Country) VALUES (@Name, @Country)", con))
{
con.Open();
cmd.Parameters.AddWithValue("@Name",txtName.Text);
cmd.Parameters.AddWithValue("@Country", txtName.Text);
cmd.ExecuteNonQuery();
con.Close();
this.gvCustomers.DataSource = GetDataTable();
this.gvCustomers.DataBind();
}
}
}
VB.Net
Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs) Handles Me.Load
If Not Me.IsPostBack Then
Me.gvCustomers.DataSource = GetDataTable()
Me.gvCustomers.DataBind()
End If
End Sub
Public Function GetDataTable() As DataTable
Dim constr As String = ConfigurationManager.ConnectionStrings("constr").ConnectionString
Using con As SqlConnection = New SqlConnection(constr)
Using cmd As SqlCommand = New SqlCommand("SELECT CustomerId, Name, Country FROM Customers", con)
Using da As SqlDataAdapter = New SqlDataAdapter(cmd)
Dim dt As DataTable = New DataTable()
da.Fill(dt)
Return dt
End Using
End Using
End Using
End Function
Protected Sub Insert(ByVal sender As Object, ByVal e As EventArgs)
Dim constr As String = ConfigurationManager.ConnectionStrings("constr").ConnectionString
Using con As SqlConnection = New SqlConnection(constr)
Using cmd As SqlCommand = New SqlCommand("INSERT INTO Customers(Name,Country) VALUES (@Name, @Country)", con)
con.Open()
cmd.Parameters.AddWithValue("@Name", txtName.Text)
cmd.Parameters.AddWithValue("@Country", txtName.Text)
cmd.ExecuteNonQuery()
con.Close()
Me.gvCustomers.DataSource = GetDataTable()
Me.gvCustomers.DataBind()
End Using
End Using
End Sub
Screenshot
