Formatting the sql Query string is
vulnerable to
SQL Injection[
^] attacks
always use
Parameterized queries to prevent SQL Injection Attacks in SQL Server[
^]
try like this
SqlCommand cmd = new SqlCommand("INSERT INTO student_details (name, father, mother, surname, phone, email, grno, course, rollno, yearofjoin,state,blood,address,pic) VALUES ( @name, @father, @mother, @surname, @phone, @email, @grno, @course, @rollno, @yearofjoin,@state,@blood,@address,@pic)");
cmd.Parameters.AddWithValue("@name",name.Text);
cmd.Parameters.AddWithValue("@father",father.Text);
cmd.Parameters.AddWithValue("@mother",mother.Text);
cmd.Parameters.AddWithValue("@surname",surname.Text);
cmd.Parameters.AddWithValue("@email",email.Text);
cmd.Parameters.AddWithValue("@grno",grno.Text);
cmd.Parameters.AddWithValue("@course",course.Text);
cmd.Parameters.AddWithValue("@rollno",rollno.Text);
cmd.Parameters.AddWithValue("@yearofjoin",Convert.ToDateTime(yearofjoin.Text));
cmd.Parameters.AddWithValue("@state",comboBox1sem.Text);
cmd.Parameters.AddWithValue("@blood",comboBox1blood.Text);
cmd.Parameters.AddWithValue("@address",address.Text);
cmd.Parameters.AddWithValue("@pic", pic);
use
DateTime.TryParseExact Method [
^] to convert datetime from a known string format.