Quote:
ddl.ID = "ddl" + i;
...
row.Cells[i].FindControl("ddl")
You create the lists with the IDs
ddl5
,
ddl6
, etc.; but you're trying to find a control with the ID
ddl
, without the numeric suffix.
Add the suffix in your
FindControl
call:
DropDownList ddl1 = row.Cells[i].FindControl("ddl" + i) as DropDownList;
string query = " update devopstable set " + GridView1.HeaderRow.Cells[i].Text + " = '"+ddl1.SelectedItem.Value+"' ";
Don't do it like that! Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
Unfortunately, you can't use a parameter to represent a column name. You'll need to verify that there is no way for the user to control the column name.
string columnName = GridView1.HeaderRow.Cells[i].Text;
string query = "UPDATE devopstable SET [" + columnName + "] = @Value";
using (SqlCommand cmd = new SqlCommand(query, cnn1))
{
cmd.Parameters.AddWithValue("@Value", ddl1.SelectedItem.Value);
cnn1.Open();
cmd.ExecuteNonQuery();
cnn1.Close();
}
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]