Form which accepts & validate user input and saves that input to SQL Server

Hi,

I am working in Asp.Net 2.0, SQL Server, C#.
I am trying to create a User Input form which has lots of fields such as :
salutation;
Firstname:
lastname:
address:
Zip:
Phone:
Industry:
and many more. i want to validate user input and than it should save into sql server 2005 and additionally if am being able to send email also that will be great. could you please lead me toward a article or tutorial which can guide me through this process. This is gonna be first time that I am creating a huge form, before this i have created a small forms by using sqldatasource and formview of asp.net 2.0. any help will be appreciated.

Thank You

You could search Google or another search engine for C# validate user input and you should get some examples. Just think about designing your page in pieces. Start with basic information like first name and last name then test your validation. To insert the data into a database you will need some insert stored procedures. Your stored procedure will most likely have a parameter for every field on the page.

Good Luck

Nathan

Hi,

I am working in Asp.Net 2.0, SQL Server, C#.
I am trying to create a User Input form which has lots of fields such as :
salutation;
Firstname:
lastname:
address:
Zip:
Phone:
Industry:
and many more. i want to validate user input and than it should save into sql server 2005 and additionally if am being able to send email also that will be great. could you please lead me toward a article or tutorial which can guide me through this process. This is gonna be first time that I am creating a huge form, before this i have created a small forms by using sqldatasource and formview of asp.net 2.0. any help will be appreciated.

Thank You

I will be happy to walk you through the process if you like. First step should be to create the HTML (or at least a working portion of it).

You will need <asp:Label>'s and <asp:TextBox>'s for the fields. I would use a standard naming convention, so for instance the label for the first name would be something like lblFirstName and its corresponding TextBox would be txtFirstName.

Once that is done, you will need validators to make sure the input is valid. Everything but the Phone and Zip will just use have the RequiredFieldValidators. For the Phone and Zip textbox's, use RegularExpressionValidators. There are a few prebuilt expressions in VS 2005, and luckily there are ones for US Phone and US Zip Code. Use those with the corresponding Textboxes.

When you are done with all this, I will help you with the next step.


EDIT:

If you want links to sites, here are some:


Information about INSERT statements for SQL

Information about sending email through ASP .NET

Thank You TRScheel. as soon as finish this i'll back to seek help.

Hi, Here are fields which I have created. Reason behind pasting this is to show you that how it looks so far? Please guide me for the next step and feel free to suggest in following html

Nicely done, I just tested your site, and it looks functional.

A few notes on the HTML:

• Use clarifiers for your IDs (ex, textbox id's are always prefixed with txt, dropdownlists with ddl, checkboxes with chk, etc)
• Instead of <b> </b> use labels (and dont forget the above point when naming them) with css styling
• I normally have validators have their initials as their definer, and then carry the same suffix as the object they are validating (ex, if the regular expression validator was validating txtPhone, then the validator would be named revPhone)

Those are all styling points, up to you whether you want to put them into your code.

This SHOULD be done though:
Go back through all your input fields and put a maximum character amount. This is so when you create your sql table, you know the maximum size you will be passing to it. Its not needed, as you can use variable sized inputs, but it will help.


Onto the code. Now that you have what can be referenced as pseudo code, create a User class that has all these properties. Here are a few pointers with that class:

• Private variables, public properties (stylistic, but it also lets you change the implementation later without breaking code everywhere)
• Include two enums for the interested in and where did you hear about us ( sample code included at the end of this post )
• Include a function to return SqlParamter[] and call it something like GetSqlParameters. For now just have it return null. We will fill in that function later when we pass this information to your sql statement.
• Everything but the zip code will probably be a string and the zip code will probably be an int, although you can have that be a string as well.
• Make sure to include a variable (string) for Other in case they select that option

Now the enum code. You have two distinct opportunities for the enums. One that only allows one value, another that the user can select multiple options. If you want to have one enum that can have multiple options, make each value in the enum a iterator of 2 ^ x (1, 2, 4, 8, 16, 32, 64, 128, etc). Examples of the enums are as such:

hi,

thank you for your feedback and help. From the HTML point of view I understood everything but didn't understand anything regards to next step. I guess its little higher level for me. Could you please explain in more detail. By User class do you mean adding new class to existing project? Are you trying to lead me to multi-tier architecture? I am kind of confused.

Thank You.

hi,

thank you for your feedback and help. From the HTML point of view I understood everything but didn't understand anything regards to next step. I guess its little higher level for me. Could you please explain in more detail. By User class do you mean adding new class to existing project? Are you trying to lead me to multi-tier architecture? I am kind of confused.

Thank You.

If this is done in Visual Studio, right click your solution and add file (like you would a web page). Select the class object. Name it something like User, and it should auto fill everything.

I may ask you if you want to create an App_Data folder, do so if it does. If it doesnt, no worries.

It should auto create a file that looks similiar to:

I am assuming here that you are using C#. If it is VB .Net, tell me and I will change the code.

Anyways, from within that above code snippet, you would add variables and it would start to look similiar to:


**NOTE** If you are unfamiliar with C#, tell me so I will take a few steps back and explain some C# for you.

Also, if you need C# help, tell me roughly what you do know so I dont go over old information.

Hi,

Thanks again. actually I am new to Asp.net C#, its been few months only. Here is a User.cs file

I am not sure whether its correct, have a look at it and let me know wat should be done next. appreciate your efforts.

You've defined the enums, but you have no instances of them within the class, Make sure to have that.

Also the SqlParameters function should return an array of SqlParamter (or, SqlParamter[])

I hope this is correct as far as enums are concerned but still i am unable to grasp SQLParameter part. Could you please show that to me and verify this too.

Thanks for being patient and helping me toward this.

Ok, some changes should be made just to make it easier to read. First off, put all your private variables and public enum declarations at the top of the class. Then, you should have one instance of the two enums, as shown below. I wasnt exactly sure what you were going with for the string versions of them, but if you take ReferredFrom.Internet.ToString() it will return 'Internet'. If you want to have public versions of those enums so you dont need to add .ToString() to it, go for it, but thats how to get it.

Now onto that SQLParameter function. The start of it is included at the end. Take a look and see if you understand what is going on.

Now here is some styling information. Why a function for the sql parameters instead of a read only property? Well, technically, its not returning a private variable. It is actually doing work, then returning that value. The reason we used properties before is so that if we changed how LastName worked, for instance, we only had to change it in the User class. We want the end user to realize that by calling GetSqlParameters() it will do work, not just expose a variable to them. Others will have different opinions on the matter, and in my opinion, there is no right or wrong way, I just attempt to remain consistent in my work and I suggest you try to retain a consistency in your work. It will help you and others that use your work.

When you are done and have no further questions about this portion, I will help you move onto the next step.

Thank You for being so patient with me. Here it is

Ok, now for some SQL fun. Do you have some background knowledge of SQL or would you like me to start from the beginning?

I guess I am ok with SQL, have done in past.

I guess I am ok with SQL, have done in past.

Ok, and you have full access to the server you are using? IE, can create tables, stored procedures, etc? Also, are you allowed a GUI to do it with, or will you be doing this through script?

Hi,

Yes i have a access to my Server. Do you mean by creating tables and Stored procedures via script or using GUI, then i can go either way. I am using Sql server 2005.

Thank You

I just read through this wonderful thread and wanted to point out that you have only done client side validation.

Please be aware that some users know how to get around this form of validation and can pass malicious code into your form.

I strongly recommend you write the C# server side code that checks each of your User class's properties before you store any information into your database...check for things like data length as well as data validity.

Also I would check every property for any SQL code that may damage your database. Screen each property for things like DROP, SELECT, INSERT, UPDATE, DELETE or TRUNCATE before you insert anything. This will prevent anything from happening in the future if a piece of code blindly uses the information stored in the database and accidentally executes something devastating. Just be aware that these words can be valid input...eg: "Select Foods" could be a valid name.

Here is a quick little bit of code (sorry it's in VB.NET) that will strip a string of these potentially harmful SQL commands:

Cheers!

-Frinny

I just read through this wonderful thread and wanted to point out that you have only done client side validation.

Please be aware that some users know how to get around this form of validation and can pass malicious code into your form

....


Cheers!

-Frinny

Oh frinny, always looking out for us. I was planning on getting to that, after we had the functionality. But valid point nonetheless.

Hi,

Yes i have a access to my Server. Do you mean by creating tables and Stored procedures via script or using GUI, then i can go either way. I am using Sql server 2005.

Thank You

Oh excellent. That should make this all easier.

Well now make a table that accurately portrays the user class you created (I would also include a userID of some sort, if you do though, be sure to add that as a readonly property to your user class with a corresponding variable).

Hello,

Please check the stored proccedure below for creating a Table. I have added UserId(not null, auto increament). Let me know if its correct (especially data types). After that i have added UserId read only property and Sqlparameter for that in User Class.

Hi Parshupooja,

Could you possibly mark what is code by using the [code] tags.
Since you're working with mainly C# I suggest using [code=cpp].
So you'll do something like [code=cpp]...your code [ /code].
It will just make things more legible.

Thanks :)

-Frinny

Hello,

Please check the stored proccedure below for creating a Table. I have added UserId(not null, auto increament). Let me know if its correct (especially data types). After that i have added UserId read only property and Sqlparameter for that in User Class.

Excellent job. Your sql code looks good, although its fairly easy for to miss script errors (I do it all the time).

You want to take out the UserID from the C# code in the Parameters function. We arent going to tell the table what its user ID is, it will just be assigned one when you register the user. The reason we have a readonly value in the user class is so that when you load a user, you can reference it by its user ID in the future (but we dont want some external class being able to change it).

I WOULD though, create a function that returns ONLY the UserID sql parameter in the C# code, but that can be saved for later when you will use the class to update portions of the user information.

Now we travel back to the HTML. Make sure that all those limits you set in your SQL script are coded into the HTML. An example would be to make sure that a user cannot put more then 50 characters for his first name, 255 for his address, etc.

Once done with that, you will make a stored procedure. I assume you know how to do this? If so, create one that will take all those parameters you used in the C# parameters function and inserts it into a new row into your table.

After all that, come back here and I will walk you through some C# sql coding so that you can call that procedure from the code.

Frinny,

I will do so. Please pardon me since I am a novice member

Hi Parshupooja,

Could you possibly mark what is code by using the [code] tags.
Since you're working with mainly C# I suggest using [code=cpp].
So you'll do something like [code=cpp]...your code [ /code].
It will just make things more legible.

Thanks :)

-Frinny

Frinny,

I will do so. Please pardon me since I am a novice member

Everyone has to start somewhere :)

Hello,

Here is a Insert Stored Procedure,


and here is modified HTML, I have tried using naming convention sugguested by you and label instead of <b>
Let me know how it looks and what needs to be done next

Thanks

You need to change one of two things, either add 'i' in front of your sqlparameters in c#, or take out the 'i's from the stored procedure.

Onto moving forward. Everything looks good, so we can begin the C# code. I prefer to move my sql code away from everything else, and place it into its own static class, but you can do it however you like. Some people believe that the sql code for updating a user, for instance, should reside within the user class. My belief is that the user class should have the capabilities of returning the information, but how it does it is pushed to another class so that a third class can use the same methodology. Up to you!


Well to the code. You will be using SqlConnection, SqlCommand, and IAsyncResult amongst other things. First you will define your SqlConnection, then your SqlCommand from your SqlConnection, and finally push the insert.

Psuedo code:

I removed i from stored procedure.I didn't understand coding part. Could you please explaing in detail.

I will go your way, adding new class for sql. Let me know how to create a static class.

Thank You,

You need to change one of two things, either add 'i' in front of your sqlparameters in c#, or take out the 'i's from the stored procedure.

Onto moving forward. Everything looks good, so we can begin the C# code. I prefer to move my sql code away from everything else, and place it into its own static class, but you can do it however you like. Some people believe that the sql code for updating a user, for instance, should reside within the user class. My belief is that the user class should have the capabilities of returning the information, but how it does it is pushed to another class so that a third class can use the same methodology. Up to you!


Well to the code. You will be using SqlConnection, SqlCommand, and IAsyncResult amongst other things. First you will define your SqlConnection, then your SqlCommand from your SqlConnection, and finally push the insert.

Psuedo code:

Expand|Select|Wrap|Line Numbers

1. SqlConnection connection = null;
2. SqlCommand command = null;
3. IAsyncResult ar = null;
4.  
5. using(connection = new SqlConnection(....))
6. {
7.      using(command = new SqlCommand(<STORED_PROCEDURE_NAME>, connection))
8.      {
9.            /* Define within here the command type (stored procedure), add the parameters to command, and finally define any return values (you probably wont use any for this insert, unless you want to return the UserID).
10.  
11.                Once done with that, open the connection, I suggest creating a sqltransaction variable and initialize that to the begintransaction call, and set the command's transaction to that variable.
12.  
13.                Now you can start the insert. This can be done with calling BeginExecuteNonQuery and setting the return result to ar. Tell ar to wait one, and then call EndExecuteNonQuery. Finally, have transaction.commit called so that its set.
14.  
15.                All this is barring any error catching. You should probably encompass all BUT the variable declarations in a try / catch block that closes and disposes of all the objects that are not null, and if the catch was raised to set the transaction to rollback IF its not null.
16.  
17.                Finally, make sure that everything is closed up and disposed of EVEN if everything went well. This would be a good place for a finally block after the try / catch.
18.             */
19.      }
20. }
21.  

I removed i from stored procedure.I didn't understand coding part. Could you please explaing in detail.

I will go your way, adding new class for sql. Let me know how to create a static class.

Thank You,

A static class is just a class that has all its members flagged as 'static'. Its best used a class that doesnt make sense to have instances of running around. An example would be a sql utilities class. It cannot be created, as it is always there, hence it is static.

As far as the code is concerned, what we are doing is creating a function to converse with your sql server. We have the connection and the command variables in a using block so that they are closed, and in the try catch block so that in case of error, we know they are closed. This is important so that we can make sure we handle any weird errors that might happen in an effort to make sure we dont send erroneous information to your server.

Go ahead and get that section of code up, and we will continue.