Change your code to use a parameterized query, fixing the
SQL Injection[
^] vulnerability. Pass your date parameters as dates, rather than strings.
const string sqlQuery = "Insert into tblPersonal values(@regdate, @assemblys, @surname, @othername, @gender, @Nationality, @DateOfBirth, @postaladdress, @residentialaddress, @hometownaddress, @telephone, @email, @occupation, @maritalstatus, @nameofspouse, @motherfullname, @motherlivingstatus, @motherhometown, @fatherfullname, @fatherlivingstatus, @fatherhometown, @nokname, @nokresidence, @noktelephone, @images)";
using (SqlCommand cmd = new SqlCommand(sqlQuery, con))
{
cmd.CommandType = System.Data.CommandType.Text;
cmd.Parameters.AddWithValue("@regdate", regdate);
cmd.Parameters.AddWithValue("@assemblys", assemblys);
cmd.Parameters.AddWithValue("@surname", surname);
cmd.Parameters.AddWithValue("@othername", othername);
cmd.Parameters.AddWithValue("@gender", gender);
cmd.Parameters.AddWithValue("@Nationality", Nationality);
cmd.Parameters.AddWithValue("@DateOfBirth", dateofbirth);
cmd.Parameters.AddWithValue("@postaladdress", postaladdress);
cmd.Parameters.AddWithValue("@residentialaddress", residentialaddress);
cmd.Parameters.AddWithValue("@hometownaddress", hometownaddress);
cmd.Parameters.AddWithValue("@telephone", telephone);
cmd.Parameters.AddWithValue("@email", email);
cmd.Parameters.AddWithValue("@occupation", occupation);
cmd.Parameters.AddWithValue("@maritalstatus", maritalstatus);
cmd.Parameters.AddWithValue("@nameofspouse", nameofspouse);
cmd.Parameters.AddWithValue("@motherfullname", motherfullname);
cmd.Parameters.AddWithValue("@motherlivingstatus", motherlivingstatus);
cmd.Parameters.AddWithValue("@motherhometown", motherhometown);
cmd.Parameters.AddWithValue("@fatherfullname", fatherfullname);
cmd.Parameters.AddWithValue("@fatherlivingstatus", fatherlivingstatus);
cmd.Parameters.AddWithValue("@fatherhometown", fatherhometown);
cmd.Parameters.AddWithValue("@nokname", nokname);
cmd.Parameters.AddWithValue("@nokresidence", nokresidence);
cmd.Parameters.AddWithValue("@noktelephone", noktelephone);
cmd.Parameters.AddWithValue("@images", images);
conn.Open();
try
{
cmd.ExecuteNonQuery();
}
finally
{
conn.Close();
}
}
Also, fix the SQL Injection vulnerability for the report:
SqlDataAdapter adp = new SqlDataAdapter("SELECT * from tblPersonal WHERE Regdate BETWEEN @StartDate AND @EndDate ORDER BY Surname", conn);
adp.SelectCommand.Parameters.AddWithValue("@StartDate", this.dtpDate1.Value);
adp.SelectCommand.Parameters.AddWithValue("@EndDate", this.dtpDate2.Value);