C# & SQL time in and out application

Question

0.00/5 (No votes)

See more:

I would like to request some help on creating a c# based sign in and out form that uses a local sql datbase to store people signing in and then out again

There are no errors however the form will not accept any data and the sign out form drop box will not populate with names of people from persons table I would like help to making this work please.
I need major help to ensure that:
the data accepts from The sign in form to the database columns of Name, Time in and organisation
then saves
then when signing out the combobox is populated with all names of people who have signed in
Then to sign out the table uses the name in the combobox to find the time out column related to it and pastes the time out into it

This then needs a computed column in which the sql table will display the retention time of each user

This then needs to be displayed in a graph on the admin page

If anyone has any examples o something like this or wishes to work on my program could they email me at: [email address removed] (only email I have access to at the minuet)

What I have tried:

My current code is

C#

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Configuration;
using System.Data.SqlClient;

namespace SignInAndOutForm
{
    public partial class SignIn : Form
    {
        bool dataAccepted = false;
        string connectionString = (@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Register.mdf;Integrated Security=True"); //mainly used as a note rather than placeholder
        // also uses this as the link to the DATABASE
        SqlConnection Connection;

        public SignIn()
        {
            InitializeComponent();
        }

        private void textBox2_TextChanged(object sender, EventArgs e)
        {
            //allows for automated time when clicked provided by local system
            string AutoTime = DateTime.Now.ToString("HH:mm");
            textBox2.Text = AutoTime;
        }

        private void SignIn_Load(object sender, EventArgs e)
        {
            //Loads oddly enough
        }

        private void button1_Click(object sender, EventArgs e)
        {
            //ACCEPT SOME DATA, by calling the subroutine
            AcceptData();
            // then close the form, it hides it to stop
            if (dataAccepted == true)
            {
                textBox1.Clear();
                textBox2.Clear();
                textBox3.Clear();
                this.Hide();
            }

        }
        // this tries to create a connection to the current database of PEOPLE and then tried to input the data required
        private void AcceptData()
        {
            using (Connection = new SqlConnection(connectionString))
            {
                Connection.Open();

                using (SqlDataAdapter adapter = new SqlDataAdapter("UPDATE ", Connection))//INPUT changed to INSERT Allowing data to be accepted //keep for a later date INSERT INTO Person SELECT * FROM PERSON WHERE TimeOut IS NULL
                {
                    DataTable RegisterTable = new DataTable();
                    adapter.Fill(RegisterTable); //Initialisation fixed using .open() command

                    string name = textBox1.Text;
                    string organisation = textBox3.Text;
                    DateTime Time = DateTime.Parse(textBox2.Text);
                    string strDateTimeIn = Time.ToString("yyyy-MM-dd HH:mm:ss.ffff");
                    string query = "INSERT INTO Person (Name,Organisation,TimeIn) VALUES('" + name + "','" + organisation + "','" + strDateTimeIn + "')";
                    SqlCommand SignIn = new SqlCommand(query, Connection);
                    SignIn.ExecuteNonQuery(); // this should be fine currently
                    dataAccepted = true;

                }
            }

        }
    }
}

Sign Out

C#

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Configuration;
using System.Data.SqlClient;

namespace SignInAndOutForm
{
    public partial class SignOut : Form
    {
        public SignOut()
        {
            InitializeComponent();
            BindComboName();
        }

        private void textBox1_TextChanged(object sender, EventArgs e)
        {
            string AutoTime = DateTime.Now.ToString("HH:mm");
            textBox1.Text = AutoTime;
        }

        private void button1_Click(object sender, EventArgs e)
        {
            
            if (textBox1.Text == null || textBox1.Text == "")
            {
                MessageBox.Show("Please click the time box and press a key");
            }
            else
            {
                DateTime timeOut = DateTime.Parse(textBox1.Text);
                string strDateTimeOut = timeOut.ToString("yyyy-MM-dd HH:mm:ss.ffff");
                string queryOut = "UPDATE Person SET TimeOut = '" + strDateTimeOut+ "' FROM Person p1 WHERE p1.TimeOut IS NULL AND p1.TimeIn = (SELECT MAX(TimeIn) FROM Person p2 WHERE p2.Name = p1.Name AND p2.TimeOut IS NULL)" ;

            }
            // ACCEPT SOME DATA
            textBox1.Clear();
            this.Hide();

        }

        private void SignOut_Load(object sender, EventArgs e)
        {

        }

        private void BindComboName()
        {
            using (SqlConnection sqlConnection = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Register.mdf;Integrated Security=True"))

            {
                SqlCommand sqlCmd = new SqlCommand("SELECT Name FROM Person WHERE TimeOut IS NULL GROUP BY Name ORDER BY Name", sqlConnection);
                sqlConnection.Open();
                SqlDataReader sqlReader = sqlCmd.ExecuteReader();

                while (sqlReader.Read())
                {
                    comboBox1.Items.Add(sqlReader["Name"].ToString());
                }
                sqlReader.Close();
            }
        }
    }
}

Posted 28-Sep-17 8:22am

Member 13435649

Updated 28-Sep-17 17:42pm

Graeme_Grant

v2

Add a Solution

Comments

Member 13435649 28-Sep-17 14:24pm

If you would like the file emailed to you I can do that for you to help edit it and explain how things work, I would like any explanation with comments please to help me understand it and details of what and how parts of the code work, thanks in advance
Tom

Richard Deeming 28-Sep-17 14:43pm

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard MacCutchan 28-Sep-17 15:58pm

There may not be any compilation errors in your code, but that does not mean anything.

Why are you using a Textbox for date and time? Use a Calendar control so you will always get valid data. Also you are changing the text of Textbox2 inside your textBox2_TextChanged event handler, so you will automatically kick off a new event.

Graeme_Grant 28-Sep-17 23:41pm

Time to learn how to use the debugger. Debugging is just as important as knowing how to create the code. If you do not understand how to debug, this video will show you how: Basic Debugging with Visual Studio 2010 - YouTube[^]

Also, never give out your email address in a public forum like this unless you want to be overloaded with spam!

Member 13435649 30-Sep-17 9:27am

Thank you all for the input but I would Like to know how to accept the data into the SQL table first as for some reason this does not work once this is done I will focus on ensuring it is not vulnerable to sql injection and I thank you for helping me with that

Thanks in advance Tom

Richard MacCutchan 30-Sep-17 12:04pm

Maybe studying a few SQL tutorials would help you.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Patrice T · Answer 1 · 2017-09-28T13:36:00

C#

string query = "INSERT INTO Person (Name,Organisation,TimeIn) VALUES('" + name + "','" + organisation + "','" + strDateTimeIn + "')";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]