Column name or number of supplied values does not match table definition (Incorrect Date format?)

StackOverflow https://stackoverflow.com/questions/23664264

  •  22-07-2023
  •  | 
  •  

Question

I've got the following error message within my ASP.Net application (C#): 

Column name or number of supplied values does not match table definition

The table definition looks as following: 

CREATE TABLE [dbo].[Invoices] (
[Id]             INT        NOT NULL,
[EMail]          NCHAR (30) NOT NULL,
[InvoiceNr]      INT        NOT NULL,
[Datum]          DATE       NOT NULL,
[AnzahlProdukte] INT        NOT NULL,
[Gesamtpreis]    MONEY      NOT NULL,
PRIMARY KEY CLUSTERED ([Id] ASC)
);

My insert in C# looks like this:

string command = String.Format("INSERT into Invoices values ({0}, '{1}', {2}, '{3}', {4}, {5});", currId, EmailAdressCustomer, currInvoices, today, quantityCart, price);

The datatypes looks as following:

int currId = 0;
string EmailAdressCustomer = Session["CustomerEmail"].ToString();
int currInvoices = 0;
DateTime today = DateTime.Now;
int quantityCart = 0;
double fullprice = Convert.ToDouble(Session["FullPrice"].ToString());
        SqlMoney price = new SqlMoney();
        price = (SqlMoney) fullprice;

I hope that anyone can help me. Thanks alot!

Was it helpful?

Solution

The problem is the double value that string.Format transform in a string using the locale decimal separator. And if you have a locale where the decimal separator is a comma then you are ready for a big surprise.

For example, if you have 

double price = 12.4;
string s = string.Format("{0}", price);
Console.WriteLine(s);

in my locale (italian) the output is 

12,4

as you can see, with string concatenation this becomes a new value that is not expected by the table definition

I could point to a different overload of string.Format like this one

string.Format(CultureInfo.InvariantCulture, "{0}", price);

but this is just a way to cure the symptoms of the problem and not the real issue.
The only recommended solution to this problem is a parameterized query

 string cmdText = "INSERT into Invoices values (@id, @email, @inv, @dt, @qta, @prix)";
 SqlCommand cmd = new SqlCommand(cmdText, connection);
 cmd.Parameters.AddWithValue("@id", currId);
 cmd.Parameters.AddWithValue("@email", emailAdressCustomer);
 cmd.Parameters.AddWithValue("@inv", currInvoices);
 cmd.Parameters.AddWithValue("@dt", today);
 cmd.Parameters.AddWithValue("@qta", quantityCart);
 cmd.Parameters.AddWithValue("@pix", price);
 connection.Open();
 cmd.ExecuteNonQuery();

In this way, the proper handling of the decimal separator, string quotes, date formatting (and don't forget the whole Sql Injection vulnerability) is passed to the framework code that probably knows better how to do it.

OTHER TIPS

In MS SQL, Date is not the same thing as DateTime. Date is a date only, DateTime has more data to hold time information as well. Switch it to a DATETIME in SQL. Take a look here for more information

EDIT:

You also need to defend against SQL injection. Do this with parameterized SQL queries and commands.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top