http://forums.asp.net/t/1789235.aspx/1?sign+up+buttonThu, 05 Apr 2012 00:32:01 -040017892354916382http://forums.asp.net/p/1789235/4916382.aspx/1?sign+up+button <p>&nbsp;Asp.net 3.5 using VB.</p> <p>I have made sign up button wherein the button accepts data from user and when the user clicks on sign up button then it stores the data in Sign table of databse.</p> <p>The code for sign up button is :</p> <p>Protected Sub Button1_Click1(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click</p> <p><br> con.Open()<br> cmd = New SqlCommand(&quot;insert into sign values('&quot; &#43; TextBox1.Text &#43; &quot;','&quot; &#43; TextBox2.Text &#43; &quot;','&quot; &#43; TextBox3.Text &#43; &quot;','&quot; &#43; TextBox4.Text &#43; &quot;')&quot;, con)<br> cmd.ExecuteNonQuery()<br> End Sub</p> <p>But,after running web page ,and entering all details and click on <strong>sign up button ,</strong>it directs me to the code section and gives error for this line :</p> <p><strong>cmd.ExecuteNonQuery()</strong></p> <p>The Insert Error is:</p> <p>SqlException was unhandled by user code.</p> <p>Column name or number of supplied values does not match table definition.</p> 2012-04-04T16:54:44-04:004916391http://forums.asp.net/p/1789235/4916391.aspx/1?Re+sign+up+button <p>Looks like you may be supplying to few or too many values to be handled in this way.</p> <p>Try writing your insert command like so:</p> <p>INSERT INTO table_name (column1, column2, column3,...) VALUES (value1, value2, value3,...)</p> <p>Also I would highly suggest not placing data into a database the way you are doing it currently. Releasing code using raw user supplied data from a text box with no form of sanitation leaves you open to SQL injections. Look into parameterizing your query.</p> 2012-04-04T16:59:57-04:004916429http://forums.asp.net/p/1789235/4916429.aspx/1?Re+sign+up+button <p>Hi,</p> <p>This doesn't answer your question but when I saw your code I had to say this: Please do not put values from a text box or a variable directly into a query. Use SQL Parameters instead to prevend SQL injection. Look at this link for more information on the matter: <a href="http://msdn.microsoft.com/en-us/library/ff648339.aspx">http://msdn.microsoft.com/en-us/library/ff648339.aspx</a></p> <p>Hope this helps.</p> <p>Regards,</p> <p>Yorrick</p> <p>&nbsp;</p> 2012-04-04T17:29:03-04:004916882http://forums.asp.net/p/1789235/4916882.aspx/1?Re+sign+up+button <p>Just to emphasize what the others have already contributed.&nbsp;&nbsp; You are not passing in the required number of fields for your table.&nbsp; Did you set a primary key on the table?&nbsp; If so, does it auto increment, or do you have to set that field yourself?&nbsp; That is most likely what is missing, but impossible to say without looking at the table schema.</p> <p>I agree with the SQL Injection issue.&nbsp; Never append your values into a dynamic sql query like that.&nbsp;&nbsp; It is bad, bad, bad news.&nbsp; There are many resources out there that can point you in the direction for securing your sql queries.&nbsp; Here is one of those resources that might be helpful: http://software-security.sans.org/developer-how-to/fix-sql-injection-microsoft-.net-with-parameterized-queries&nbsp;&nbsp; </p> 2012-04-05T00:32:01-04:00