1

In code Behind i have this :

 protected void ButtonSave_Click(object sender, EventArgs e)
        {
            Guid guid = (Guid)Membership.GetUser().ProviderUserKey;
            string name = TextBoxCategoryName.Text;
           // string user = Membership.GetUser().UserName;
            this.connection.Open();
            command = connection.CreateCommand();
            command.CommandText = "insert into ProfitCategories(name, IdUser) values ( '" + name + "', "+guid+" )";
            command.ExecuteNonQuery();

            connection.Close();
        }

but this give error: Incorrect syntax near 'a8'. how to get GUID from current user and insert into database

Improve this question
4
  • Parameterize your query to protect against SQL injection and I bet your problem will be solved. Commented Apr 1, 2013 at 22:30
  • 1
    Have a look here: msdn.microsoft.com/en-us/library/… Parametrizing your parameters will protect you against SQL injection and make your application (more) secure. Commented Apr 1, 2013 at 22:34
  • Are you getting null in the guid? What is the value you are getting for Membership.GetUser() is that also null ? Commented Apr 1, 2013 at 22:35
  • f546c6d8-5032-42a8-af48-a68024f38066 this is my guid Commented Apr 1, 2013 at 22:40

2 Answers 2

Reset to default
3

Though Mike has presented you the answer, I would like to draw your attention to use Stored Procedure instead of sql queries

  try
  {
      Guid guid = (Guid)Membership.GetUser().ProviderUserKey;
      string name = TextBoxCategoryName.Text;

       using (SqlConnection con = new SqlConnection(sqlConnection))
            {
            SqlCommand command = new SqlCommand("sp_InsertUserDatails", sqlConnection);
            command.CommandType = CommandType.StoredProcedure;
            command.Parameters.Add("@name", SqlDbType.VarChar).Value = name ;
            command.Parameters.Add("@IdUser", SqlDbType.VarChar).Value = guid ;
            sqlConnection.Open();
            return command.ExecuteNonQuery();
            sqlConnection.Close();
            }
  }
catch (SqlException ex)
  {
     Console.WriteLine("SQL Error" + ex.Message.ToString());
     return 0;
  }

And here goes the Stored procedure 

    CREATE PROCEDURE sp_InsertUserDatails 
(
    @name varchar(100),
    @IdUser varchar(100)
)
AS
BEGIN
    insert into dbo.ProfitCategories(name, IdUser) 
    values (@name, @IdUser)
END
GO
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'll +1 that for showing code example (even tho you didn't show how to write a SPROC ;)
@Mike On your suggestion :D .. Now still one thing is left Connection String in web.Config ;)
1

The small problem: You are missing single quotes around your GUID. It should be:

command.CommandText = "insert into ProfitCategories (name, IdUser) values ( '" + name + "', '" + guid + "' )";

But don't do this.

The big problem: You are at risk for SQL injection if you fix like that. Use parameters for your SQL statement to appropriately fix, or use a stored procedure.

Reading:

MSDN SqlCommand.Parameters

SQL Injection

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.