So many problems in such a small code sample!
Quote:
new MySqlCommand("UPDATE payment SET ornumber = @ornumber,datepayment = @datepayment,amountpaid = @amountpaid,penalty = @penalty,totalamount = @totalamount,cashtendered = @cashtendered,CHANGED = @changed WHERE contractid =" + contractid + ";", con.con)
You know you need to use parameters to avoid
SQL Injection[
^]. You sort-of know how to use them. And yet you still chose to concatenate a parameter value directly into your query at the last, leaving your code wide-open to this critical vulnerability.
Quote:
con.Open();
reader = cmd.ExecuteReader();
cmd.Parameters.AddWithValue("@ornumber", Int32.Parse(dataGridViewPayment.SelectedRows[0].Cells[2].Value.ToString()));
And this is why I said you "sort-of" know how to use them - you've tried to execute the command
before adding the parameters to it.
You need to add the parameters first; only then can you execute the command.
Quote:
cmd = new MySqlCommand("UPDATE ...", con.con);
con.Open();
reader = cmd.ExecuteReader();
The
ExecuteReader
method is meant to be used with commands which return data - typically a
SELECT
command. For an
UPDATE
command, you should use
ExecuteNonQuery
instead.
Quote:
con.Close();
cmd = new MySqlCommand(...);
con.Open();
reader = cmd.ExecuteReader();
You're storing your connection, command, and datareader objects in class-level fields. That's a great way to introduce memory leaks and data corruption!
Instead, create the objects when you need them, and wrap them in a
using
block to ensure they're always disposed of properly. I'd suggest creating a function to create your connection object, so that you only need to configure it in one place. For example:
private MySqlConnection CreateConnection()
{
return new MySqlConnection(ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString);
}
private void dataGridViewPayment_CellContentClick(object sender, DataGridViewCellEventArgs e)
{
if (dataGridViewPayment.SelectedRows.Count == 0)
{
return;
}
var row = dataGridViewPayment.SelectedRows[0];
using (MySqlConnection con = CreateConnection())
using (MySqlCommand cmd = new MySqlCommand("UPDATE payment SET ornumber = @ornumber, datepayment = @datepayment, amountpaid = @amountpaid, penalty = @penalty, totalamount = @totalamount, cashtendered = @cashtendered, CHANGED = @changed WHERE contractid = @contractid;", con))
{
cmd.Parameters.AddWithValue("@ornumber", Int32.Parse(row.Cells[2].Value.ToString()));
cmd.Parameters.AddWithValue("@datepayment", DateTime.Parse(row.Cells[3].Value.ToString()));
cmd.Parameters.AddWithValue("@amountpaid", Int32.Parse(row.Cells[4].Value.ToString()));
cmd.Parameters.AddWithValue("@penalty", Int32.Parse(row.Cells[7].Value.ToString()));
cmd.Parameters.AddWithValue("@totalamount", Int32.Parse(row.Cells[8].Value.ToString()));
cmd.Parameters.AddWithValue("@cashtendered", Int32.Parse(row.Cells[9].Value.ToString()));
cmd.Parameters.AddWithValue("@changed", Int32.Parse(row.Cells[10].Value.ToString()));
cmd.Parameters.AddWithValue("@contractid", contractid);
con.Open();
cmd.ExecuteNonQuery();
}
}