I have website in asp .net currently online but its database become corrupted every time after new enteries

Question

In my website which is online local directory become corrupt when i put it on server. table in database got html tag but i dont change anything enteries become like Name A Suresh

or different html tags

is it sql injection?? my website runs smoothly on localhost but when i put it online all enteries become corrupted after some time of updation.

 protected void b1_Click(object sender, EventArgs e)
    {
        //Byte[] bytes = null;
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["constr"].ToString());
        con.Open();
        SqlCommand cmd = new SqlCommand("insert into dbocontent values(@image_name, @image_path, @firm_name, @phno, @address, @work_detail, @email, @website, @location, @city, @contact_person, @mob_no, @reciept_no, @opening_hours, @estblish, @deal, @status, @deal_duration, @deal_name, @deal_description, @category, @sub_category1, @sub_category2, @sub_category3, @phno2)", con);




        if (FileUpload2.HasFile)
        {
            string Extension = Path.GetExtension(FileUpload2.FileName);
            if (Extension.ToLower() != ".gif" && Extension.ToLower() != ".png" && Extension.ToLower() != ".jpg" && Extension.ToLower() != ".jpeg") { ScriptManager.RegisterStartupScript(this, this.GetType(), "popup", "alert('Invalid Image Format');", true); }
            else { string Pathname = "uploadimages/" + Path.GetFileName(FileUpload2.PostedFile.FileName); string Filename = Path.GetFileName(FileUpload2.PostedFile.FileName); cmd.Parameters.AddWithValue("@image_name", Filename); cmd.Parameters.AddWithValue("@image_path", Pathname); FileUpload2.SaveAs(Server.MapPath("~/uploadimages/" + FileUpload2.FileName)); }
        }

        else { ScriptManager.RegisterStartupScript(this, this.GetType(), "popup", "alert('pls select a file to upload');", true); }

            cmd.Parameters.AddWithValue("@firm_name", txtfirmname.Text);
            cmd.Parameters.AddWithValue("@phno", txtphone.Text);
            cmd.Parameters.AddWithValue("@address", txtaddress.Text);
            cmd.Parameters.AddWithValue("@work_detail", txtworkdetail.Text);
            cmd.Parameters.AddWithValue("@email", txtemail.Text);
           cmd.Parameters.AddWithValue("@website", txtwebsite.Text);
           cmd.Parameters.AddWithValue("@location", txtlocation.Text);
           cmd.Parameters.AddWithValue("@city", DropDownList2.SelectedItem.Text);
           cmd.Parameters.AddWithValue("@contact_person", txtcontact_person.Text);
           cmd.Parameters.AddWithValue("@mob_no", txtmob.Text);
           cmd.Parameters.AddWithValue("@reciept_no", txtreciept.Text);
           cmd.Parameters.AddWithValue("@opening_hours", txtopeningtime.Text);
           cmd.Parameters.AddWithValue("@estblish", txtestblish.Text);

           // cmd.Parameters.AddWithValue("@sub_sub_category", ddlsubsubcat.SelectedItem.Text);


           cmd.Parameters.AddWithValue("@deal", DropDownList1.SelectedItem.Text);
        if (DropDownList1.SelectedItem.Text == "Yes")
        {
            cmd.Parameters.AddWithValue("@status", txtstatus.Text);
            cmd.Parameters.AddWithValue("@deal_duration", txtdealtime.Text);
            cmd.Parameters.AddWithValue("@deal_name", txtdealname.Text);
            cmd.Parameters.AddWithValue("@deal_description", txtdes.Text);
        }
        else
        {
            cmd.Parameters.AddWithValue("@status", "");
            cmd.Parameters.AddWithValue("@deal_duration", "");
            cmd.Parameters.AddWithValue("@deal_name", "");
            cmd.Parameters.AddWithValue("@deal_description", "");

        }
        cmd.Parameters.AddWithValue("@category", ddlcategory.SelectedItem.Text);
        cmd.Parameters.AddWithValue("@sub_category1", ddlsubsubcat1.SelectedItem.Text);
        cmd.Parameters.AddWithValue("@sub_category2", ddlsubsubcat2.SelectedItem.Text);
        cmd.Parameters.AddWithValue("@sub_category3", ddlsubsubcat3.SelectedItem.Text);
        cmd.Parameters.AddWithValue("@phno2", txtphno2.Text);




        string[] queryString3 = new string[22];
        queryString3[0] = txtfirmname.Text;
        queryString3[1] = txtphone.Text;
        queryString3[2] = txtaddress.Text;
        queryString3[3] = txtworkdetail.Text;
        queryString3[4] = txtemail.Text;
        queryString3[5] = txtwebsite.Text;
        queryString3[6] = txtlocation.Text;
        queryString3[7] = DropDownList2.SelectedItem.Text;
        queryString3[8] = txtcontact_person.Text;
        queryString3[9] = txtmob.Text;
        queryString3[10] = txtreciept.Text;
        queryString3[11] = txtopeningtime.Text;
        queryString3[12] = txtestblish.Text;
        queryString3[13] = txtstatus.Text;
        queryString3[14] = txtdealtime.Text;
        queryString3[15] = txtdealname.Text;
        queryString3[16] = txtdes.Text;
        queryString3[17] = ddlcategory.SelectedItem.Text;
        queryString3[18] = ddlsubsubcat1.SelectedItem.Text;
        queryString3[19] = ddlsubsubcat2.SelectedItem.Text;
        queryString3[20] = ddlsubsubcat3.SelectedItem.Text;
        queryString3[21] = txtphno2.Text;
      //  queryString3[19] = txtfirmname.Text;

        if (!String.IsNullOrEmpty(queryString3[0]))
        {
            List<string> y = queryString3.ToList<string>();
            y.RemoveAll(p => string.IsNullOrEmpty(p));
            queryString3 = y.ToArray();

            if (CheckSqlInjection(queryString3))
            {
                Response.Redirect("~/error.htm");
            }
            else
            {
                cmd.ExecuteNonQuery();
                // c.Parameters.AddWithValue("@category", txtcategory.Text);
            }

        }
        Response.Redirect(Request.Url.ToString(), false);

        reset();

        con.Close();

    }

// this is front end

<%@ Page Title="" Language="C#" MasterPageFile="~/Admin Panel/MasterPage2.master" AutoEventWireup="true" CodeFile="content.aspx.cs" Inherits="Admin_Panel_Default2" %>

<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
    <div class="cantant_right_text">
<%--<form id="form1" runat="server">--%>

<h1>Add New User</h1><br />

<table class="tabl">


    <tr>
        <td>
            <asp:Label runat="server" ID="lbcategory" Text="Category"></asp:Label>
        </td>
        <td>
            <asp:DropDownList ID="ddlcategory" runat="server" Height="35px" Width="253px"></asp:DropDownList>
        </td>
        <td>

        </td>
    </tr>
<tr>
        <td>
            <asp:Label runat="server" ID="Label4" Text="Select Sub Category 1"></asp:Label>
        </td>
        <td>
            <asp:DropDownList runat="server" ID="ddlsubsubcat1" Height="30px" Width="253px" 
                ></asp:DropDownList>
        </td>
        <td>

        </td>

    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="Label1" Text="Select Sub Category 2"></asp:Label>
        </td>
        <td>
            <asp:DropDownList runat="server" ID="ddlsubsubcat2" Height="30px" Width="253px" 
                ></asp:DropDownList>
        </td>
        <td>

        </td>

    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="Label3" Text="Select Sub Category 3"></asp:Label>
        </td>
        <td>
            <asp:DropDownList runat="server" ID="ddlsubsubcat3" Height="30px" Width="253px" 
                ></asp:DropDownList>
        </td>
        <td>

        </td>

    </tr>



    <tr>
        <td>
            <asp:Label runat="server" ID="lbfirmname" Text="Firm Name"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtfirmname" placeholder="Enter Firm Name"></asp:TextBox>
        </td>
        <td>
         <%--   <asp:RegularExpressionValidator ID="RegularExpressionValidator1" ControlToValidate="txtfirmname" ValidationExpression="^[0-9a-zA-Z]+$" runat="server" ErrorMessage="No Special Keys" BackColor="Red"></asp:RegularExpressionValidator></td>--%>
        <td>

        </td>

    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbphone" Text="Phone Number"></asp:Label>

        </td>
        <td>
            <asp:TextBox runat="server" ID="txtphone" placeholder="Enter Phone Number"></asp:TextBox>
         <%--   <asp:RegularExpressionValidator ID="RegularExpressionValidator3" ControlToValidate="txtphone" ValidationExpression="^[0-9]+$" runat="server" ErrorMessage="Only Numeric Keys" BackColor="Red"></asp:RegularExpressionValidator>--%>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbaddress" Text="Address"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtaddress" placeholder="Enter Address"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbworkdetail" Text="Work Detail"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtworkdetail" placeholder="Enter Work Detail"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbemail" Text="Email"></asp:Label>

        </td>
        <td>
            <asp:TextBox runat="server" ID="txtemail" placeholder="Enter Email"></asp:TextBox>
          <%--  <asp:RegularExpressionValidator ID="RegularExpressionValidator4" ControlToValidate="txtemail" ValidationExpression="^[\w-\.]{1,}\@([\da-zA-Z-]{1,}\.){1,}[\da-zA-Z-]{2,6}$" runat="server" ErrorMessage="Email not valid" BackColor="Red"></asp:RegularExpressionValidator>--%>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbwebsite" Text="Website Name"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtwebsite" placeholder="Enter Website Name"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lblocation" Text="Location"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtlocation" placeholder=" Enter Location"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbcity" Text="City"></asp:Label>
        </td>
        <td>
            <asp:DropDownList ID="DropDownList2" runat="server" Height="33px" Width="254px">
            </asp:DropDownList>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbcontact_person" Text="Contact Person"></asp:Label>



        </td>
        <td>
            <asp:TextBox runat="server" ID="txtcontact_person" placeholder="Enter Contact Person"></asp:TextBox>
            <%-- <asp:RegularExpressionValidator ID="RegularExpressionValidator5" ControlToValidate="txtcontact_person" ValidationExpression="^[a-zA-Z]+$" runat="server" ErrorMessage="Only Alphabets" BackColor="Red"></asp:RegularExpressionValidator>--%>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbmob_no" Text="Mobile Number"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtmob" placeholder="Enter Mobile Number"></asp:TextBox>
           <%--  <asp:RegularExpressionValidator ID="RegularExpressionValidator6" ControlToValidate="txtmob" ValidationExpression="^[0-9]+$" runat="server" ErrorMessage="Only Numeric Keys" BackColor="Red"></asp:RegularExpressionValidator>--%>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbreciept" Text="Reciept Number"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtreciept" placeholder="Enter Reciept Number"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbopeningtime" Text="Opening Hours"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtopeningtime" placeholder="Enter Opening Hours"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>

    <tr>
        <td>
            <asp:Label runat="server" ID="lbestblish" Text="Estblish In"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtestblish" placeholder="Enter Estblish Year"></asp:TextBox>
           <%--  <asp:RegularExpressionValidator ID="RegularExpressionValidator7" ControlToValidate="txtestblish" ValidationExpression="^[0-9]+$" runat="server" ErrorMessage="Only Numeric Keys" BackColor="Red"></asp:RegularExpressionValidator>--%>
        </td>
        <td>

        </td>
    </tr>
     <tr>
        <td>
            <asp:Label runat="server" ID="lbdeal" Text="Deal"></asp:Label>
        </td>
        <td>
            <asp:DropDownList ID="DropDownList1" runat="server" Height="26px" Width="253px" 
                onselectedindexchanged="DropDownList1_SelectedIndexChanged" 
                AutoPostBack="True">
                <asp:ListItem>Yes</asp:ListItem>
                <asp:ListItem>No</asp:ListItem>
            </asp:DropDownList>
        </td>
        <td>

        </td>
    </tr>
    <%--<tr>
        <td>
            <asp:Label runat="server" ID="Label14" Text="Firm Name"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="TextBox14" placeholder="Enter Firm Name"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>--%>


    <tr>
        <td>
            <asp:Label runat="server" ID="lbstatus" Text="Status"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtstatus" placeholder="Enter Status"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
     <tr>
        <td>
            <asp:Label runat="server" ID="lbdealtime" Text="Deal Duration"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtdealtime" placeholder="Enter Duration"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
    <tr>
        <td>
            <asp:Label runat="server" ID="lbdealname" Text="Deal Name"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtdealname" placeholder="Enter Deal Name"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
     <tr>
        <td>
            <asp:Label runat="server" ID="lbdealdescription" Text="Deal Description"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtdes" placeholder="Enter Description"></asp:TextBox>
        </td>
        <td>

        </td>
    </tr>
     <tr>
        <td>
            <asp:Label runat="server" ID="lb2" Text="Phone Number 2"></asp:Label>
        </td>
        <td>
            <asp:TextBox runat="server" ID="txtphno2" placeholder="Enter Phone Number 2"></asp:TextBox>
            <%--<asp:RegularExpressionValidator ID="RegularExpressionValidator8" ControlToValidate="txtphno2" ValidationExpression="^[0-9]+$" runat="server" ErrorMessage="Only Numeric Keys" BackColor="Red"></asp:RegularExpressionValidator>--%>
        </td>
        <td>

        </td>
    </tr>

     <tr>
        <td>
            <asp:Label ID="Label2" runat="server" Text="Upload"></asp:Label>
        </td>
        <td>
            <asp:FileUpload ID="FileUpload2" runat="server" />
        </td>
        <td>
        </td>
    </tr>
    <tr>
        <td>

        </td>
         <td>
            <asp:Button runat="server" ID="b1" Text="Submit" 
                 style="margin-top:15px; width:255px; height:40px; color:White; background-color:#04579f; font-size:20px;" 
                 onclick="b1_Click"/>
        </td>
    </tr>
    </table>

</div>

</asp:Content>

Answer 1

Based on my comment above, here is what your code should look like or be similar to.

    using System;
    using System.Net;
    using System.Net.WebUtility;

    public void SaveHTML(string htmltext)
    {
        string encodedHtmlText = HtmlEncode(htmltext);

        using (SqlCommand sqlcmd = new SqlCommand("sp_SaveHTMLText", sqlConn))
        {
            sqlcmd.CommandType = CommandType.StoredProcedure;
            sqlcmd.CommandTimeout = 3600;

            SqlParameter eht = new SqlParameter("htmltext", encodedHtmlText);

            sqlcmd.Parameters.Add(eht);

            sqlConn.Open();

            sqlcmd.ExecuteNonQuery();
        }
        sqlConn.Close();
    }

    public string GetHTML(int htmlId)
    {
        string decodedHtmlText = String.Empty;

        using (SqlCommand sqlcmd = new SqlCommand("sp_GetHTMLText", sqlConn))
        {
            sqlcmd.CommandType = CommandType.StoredProcedure;
            sqlcmd.CommandTimeout = 3600;

            SqlParameter eht = new SqlParameter("htmlId", htmlId);

            sqlcmd.Parameters.Add(eht);

            sqlConn.Open();

            using (SqlDataReader dr = sqlcmd.ExecuteReader())
            {
                if (dr.HasRows)
                {
                    while (dr.Read())
                    {
                        decodedHtmlText = HtmlDecode(dr["HtmlString"].ToString());
                    }
                }
            }
        }
        sqlConn.Close();

        return decodedHtmlText;
   }

NOTES:

• sp_SaveHTMLText and sp_GetHTMLText are the name of stored procedures.
• The while loop in GetHTML assumes that there will be only one record returned when calling sp_GetHTMLText.
• Also it is assumed that the column in the table where you are saving this to is either varchar or nvarchar.
• Since your tags say asp.net-mvc, I'm assuming you're using C#.
• Please see: DotNetPerls - HtmlEncode and SO - Storing HTML in SQL.