How do I solved "the value cannot be null parameter name: string"

Question

1.00/5 (1 vote)

See more:

 Dim code As String
 Dim name As String
 Dim category As String
 Dim size As String
 Dim productprice As Decimal
 Dim sellingprice As Decimal
 Dim count As String
 Dim totalsales As Decimal
 Dim stock As String
 Dim newstocks As String
 Dim pinvoice As String

 For i = 0 To DGVReceipt.Rows.Count - 1
    code = DGVReceipt.Rows(i).Cells(0).Value
    name = DGVReceipt.Rows(i).Cells(1).Value
    category = DGVReceipt.Rows(i).Cells(2).Value
    size = DGVReceipt.Rows(i).Cells(3).Value
    productprice = Decimal.Parse(DGVReceipt.Rows(i).Cells(4).Value)
    sellingprice = Decimal.Parse(DGVReceipt.Rows(i).Cells(5).Value)
    count = DGVReceipt.Rows(i).Cells(6).Value
    totalsales = Decimal.Parse(DGVReceipt.Rows(i).Cells(7).Value)
    stock = DGVReceipt.Rows(i).Cells(8).Value
    newstocks = DGVReceipt.Rows(i).Cells(9).Value
    pinvoice = DGVReceipt.Rows(i).Cells(10).Value
next

MyNonQuery(String.Format("insert into boyscout_pos.tbltransaction(Purchase_Invoice,Receipt_No,Date,Product_Code,Product_Name,Category,Size,Product_Price,Selling_Price,Stock_Out,Total) values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}','{7}','{8}','{9}','{10}')", pinvoice, receiptNo.Text, transactiondate.Text, code, name, category, size, productprice, sellingprice, count, totalsales))

What I have tried:

1st things 1st, I had a data that value of price like (250.75). I want to stored it into my mysql database, So convert productprice & sellingprice like what the code above but in effect. I encountered a warning "the value cannot be null parameter name: String".

How do I solved this.

Posted 8-Aug-17 15:15pm

Member 13264296

Updated 8-Aug-17 16:38pm

Add a Solution

Comments

Richard Deeming 9-Aug-17 11:55am

In addition to the SQL Injection vulnerability in your code, you're only executing the query after the loop has finished. That means you'll only ever insert the values from the last row into your table.

You need to execute the query inside the For loop.

And if you want help to fix the exception, you'll need to tell us which line of your code it's is thrown from.

Member 13264296 9-Aug-17 20:53pm

Sorry for that, in my code here the query is inside the loop, posting error. The exception occur inside the for loop because If I will not convert productprice and sellingprice into decimal, there is no warning exception and working fine in the program but in result of doing that in mysql database, there is an existing line at last row with empty of the other fields and 0 value in the field of Product_Price and Selling_Price.

Richard Deeming 10-Aug-17 6:43am

It sounds like there's an empty "insert" row at the bottom of your grid, and you're trying to insert the empty values from that into the database. Try excluding that row:

For i = 0 To DGVReceipt.Rows.Count - 2

Member 13264296 10-Aug-17 21:26pm

Thanks, its working good. Can you explain why my codes are vulnerable from SQL injection? Its difficult for me to understand how it goes to my codes. Actually that data of that datagridview named: DGVReceipt was from the other FORM window, I get it from there.

How I get the data?

Through scanning there Product Code and temporarily stored in the datagridview of the 1st window form, then pass it to the next window datagridview named: DGVReceipt and in the code above I need to stored the data into my database using the query.

Richard Deeming 14-Aug-17 5:37am

Try going to receiptNo and typing in 1','2','3','4','5','6','7','8','9','10'); DELETE FROM boyscout_pos.tbltransaction; --, and then click the button.

You'll almost certainly see that all of the data is deleted from your table.

If you can't see why, try this interactive SQL Injection demo[^].

Member 13264296 14-Aug-17 20:50pm

I saw the demo. I learn a lot from it.thanks..but in receiptNo.Text is a label and auto incremented. We cannot insert that query.

Member 13264296 14-Aug-17 22:54pm

I'm tired changing my queries, I made a trapping for special characters. It is good? or bad. hehe

Richard Deeming 15-Aug-17 6:59am

You'll be even more tired when you have to rebuild your server and database every few hours because a 3 year old has hacked it[^].

Or when you have to pay out a massive fine because you've failed to protect your customers' data.

Or when a disgruntled employee uses the vulnerability to steal large sums of money from your company.

The only safe solution to prevent SQLi is to use parameterized queries. In .NET, it's generally much easier to use parameterized queries than it is to build the query with string concatenation - you don't have to worry about escaping/whitelisting/blacklisting special characters, formatting non-string values correctly, etc.

Member 13264296 15-Aug-17 20:37pm

ok, thanks Richard.So what would be the parameterized queries look like in vb.net. Can you gave me an example?

Richard Deeming 16-Aug-17 16:10pm

Using cmd As New SqlCommand("insert into boyscout_pos.tbltransaction(Purchase_Invoice, Receipt_No, Date, Product_Code, Product_Name, Category, Size, Product_Price, Selling_Price, Stock_Out, Total) values (@Purchase_Invoice, @Receipt_No, @Date, @Product_Code, @Product_Name, @Category, @Size, @Product_Price, @Selling_Price, @Stock_Out, @Total)", connection)
    cmd.Parameters.AddWithValue("@Purchase_Invoice", pinvoice)
    cmd.Parameters.AddWithValue("@Receipt_No", receiptNo.Text)
    cmd.Parameters.AddWithValue("@Date", transactiondate.Text)
    cmd.Parameters.AddWithValue("@Product_Code", code)
    cmd.Parameters.AddWithValue("@Product_Name", name)
    cmd.Parameters.AddWithValue("@Category", category)
    cmd.Parameters.AddWithValue("@Size", size)
    cmd.Parameters.AddWithValue("@Product_Price", productprice)
    cmd.Parameters.AddWithValue("@Selling_Price", sellingprice)
    cmd.Parameters.AddWithValue("@Stock_Out", count)
    cmd.Parameters.AddWithValue("@Total", totalsales)
    
    cmd.ExecuteNonQuery()
End Using

Member 13264296 28-Aug-17 1:49am

Thank you sir. It helps me a lot as a beginner in this programming.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Patrice T · Answer 1 · 2017-08-08T16:37:00

Solution 1

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]

Posted 8-Aug-17 16:37pm

Patrice T

Comments

Member 13264296 8-Aug-17 22:57pm

thanks for the advice, I really don't know that. In my code above I need to stored all the data from datagridview to my database. What should the best way to do it.

Member 13264296 8-Aug-17 23:46pm

Still the Sql injection can attack the offline system? or just a desktop system.

Patrice T 8-Aug-17 23:52pm

SQL injection is malicious user input attacking your SQL Database.

Member 13264296 9-Aug-17 0:02am

Can you give me an example of safe query and to avoid sql injection?

Patrice T 9-Aug-17 0:10am

Second link in solution contain explanation and solution.
If you Google SQL injection, you will have numerous answers.