C# string to number

Question

I want to store to a column a value from string to number

I have this part of code in c#

//Order
string refId = order.id.ToString();
ApplicationLogger.Write("order.date_created : " + order.date_created.ToString());
var dateTime = Convert.ToDateTime(order.date_created.ToString()).ToString("MM/dd/yyyy HH:mm:ss");
string weight = order.cart_hash;
string totalPrice = order.total.ToString();
string paymentMethod = order.payment_method;
string shippingCosts = order.shipping_total.ToString();
string insertOrderQuery = string.Empty;
try
{
    string invoice = "ΛΙΑ";
    if (order.billing != null)
    {
        if (!string.IsNullOrEmpty(order.billing.company))
            invoice = "TIM";
    }
   
  //checkIfalreadyExists
  DataTable orderDT = BaseDAL.ExecCommand("select * from Z_Orders where refId='" + refId + "'", null, connectionString);
    if (orderDT != null && orderDT.Rows.Count <= 0)
    {
         insertOrderQuery = "Insert into Z_Orders ([refId],[date_time],[invoice],[order_weight],[total_price],[payment_method],[shipping]) values ('" + refId + "','" + dateTime + "','" + invoice + "','" + weight + "','" + totalPrice + "','" + paymentMethod + "','" + shippingCosts +"')";
        BaseDAL.ExecNonQueryCommand(insertOrderQuery, null, connectionString);
    }

All working right and store to local database but i want this value

string shippingCosts = order.shipping_total.ToString();

to store to database like number and not string

Number has decimal

So how i can do this and what should add at column of database as property

to

Answer 1

You are approaching this problem backwards. The correct thing to do here is treat numbers as numbers, treat datetimes as datetimes, etc; do not force everything to strings and concatenate. In addition to being a SQL injection attack vector, this risks huge i18n/l10n problems (what does one-hundred point six three two look like as a string? in the US? in France, Spain?) and makes query plan caching useless.

Instead: use parameters. I don't know what your BaseDAL layer does, but: if I give examples using Dapper syntax:

var existing = connection.QueryFirstOrDefault<int?>(
    "select refId from Z_Orders where refId=@refId",
    new { refId = order.id });
if (existing is null)
{
    connection.Execute(@"Insert into Z_Orders (
        [refId],[date_time],[invoice],[order_weight],
        [total_price],[payment_method],[shipping])
    values (
        @refId, @dateTime, @invoice, @weight,
        @totalPrice, @paymentMethod, @shippingCosts);", new {
        refId = order.id, dateTime = order.order_date, invoice, weight = order.cart_hash,
        totalPrice = order.total, paymentMethod = order.payment_method, shippingCosts = order.shipping_total});
}

(you can do all this manually; Dapper is just one tool that makes correctly parameterizing SQL simple; many other ORM/etc tools offer similar features)