Try this:
protected void btnPostAd_Click(object sender, EventArgs e)
{
if (ddlState.SelectedItem.Text != "Select State" && ddlCity.SelectedItem.Text != "Select City")
{
if (FileUpload1.PostedFile.ContentLength != 0)
{
string strimage = @"~\ProductImage\" + FileUpload1.FileName;
FileUpload1.PostedFile.SaveAs(Server.MapPath(strimage));
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["DBCONNECTION"].ConnectionString);
String strInsert = "insert into ProductDetailsTable(Categories,CategoriesType,Title,Description,Price,State,City,ContactName,ContactEmail,ContactMobile,ContactPhoto,ContactViaEmail,Date)values('" + lblEducation.Text + "','" + ddlCategoryType.Text + "','" + txtTitle.Text + "','" + txtDescription.Text + "','" + txtPrice.Text + "','" + ddlState.SelectedItem.Text + "','" + ddlCity.SelectedItem.Text + "','" + txtContactName.Text + "','" + txtContactEmail.Text + "','" + txtContactMobile.Text + "','" + strimage + "','" + txtContactedViaEmail.Text + "','" + lblDateTime.Text + "')";
SqlCommand cmd = new SqlCommand(strInsert, con);
try
{
con.Open();
cmd.ExecuteNonQuery();
Thread.Sleep(3000);
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Your Add has been Posted Successfully')", true);
}
catch (SqlException ex)
{
}
finally
{
con.Close();
}
Clear();
}
else
{
string strimage = "NoImage.jpg";
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["DBCONNECTION"].ConnectionString);
String strInsert = "insert into ProductDetailsTable(Categories,CategoriesType,Title,Description,Price,State,City,ContactName,ContactEmail,ContactMobile,ContactPhoto,ContactViaEmail,Date)values('" + lblEducation.Text + "','" + ddlCategoryType.Text + "','" + txtTitle.Text + "','" + txtDescription.Text + "','" + txtPrice.Text + "','" + ddlState.SelectedItem.Text + "','" + ddlCity.SelectedItem.Text + "','" + txtContactName.Text + "','" + txtContactEmail.Text + "','" + txtContactMobile.Text + "','" + strimage + "','" + txtContactedViaEmail.Text + "','" + lblDateTime.Text + "')";
SqlCommand cmd = new SqlCommand(strInsert, con);
try
{
con.Open();
cmd.ExecuteNonQuery();
Thread.Sleep(3000);
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Your Add has been Posted Successfully')", true);
}
catch (SqlException ex)
{
}
finally
{
con.Close();
}
Clear();
}
}
else
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Select State/City')", true);
}
}
Do not
concatenate stringsin query.It leads to
Sql Injection[
^]