Click here to Skip to main content
12,299,674 members (60,305 online)
Rate this:
 
Please Sign up or sign in to vote.
See more: C# SQL-Server
private void toolStripButton3_Click_1(object sender, EventArgs e)
        {
 
            int damage = Convert.ToInt16(numericUpDown1.Value);
            if (textBox2.Text == "")
            {
                errorProvider1.SetError(textBox2, "Provide Owner name");
            }
            else if (textBox3.Text == "")
            {
                errorProvider1.SetError(textBox3, "Provide Address");
            }
            else if ((maskedTextBox1.Text.Trim().Length <= 10))
            {
                MessageBox.Show("Provide full phone number");
            }
            else if (numericUpDown2.Value >= damage)
            {
                MessageBox.Show("check Damage quantity");
            }
            else
            {
                int a = 0, b = 0, c = 0;
 
                if (!int.TryParse(textBox5.Text,
                                    System.Globalization.NumberStyles.Integer,
                                    System.Globalization.CultureInfo.CurrentUICulture,
                                    out a))
                {
                    MessageBox.Show("u need to enter value");
                }
 
                else if (!int.TryParse(textBox9.Text,
                                    System.Globalization.NumberStyles.Integer,
                                    System.Globalization.CultureInfo.CurrentUICulture,
                                    out b))
                {
                    MessageBox.Show("u entered greater value");
                }
                else if (b > a)
                {
                    MessageBox.Show("ur amount greater then total");
 
                }
                else
                {
                    c = a - b;
                    textBox10.Text = c.ToString(System.Globalization.CultureInfo.CurrentUICulture);
                    
                    UGIcon.Open();
                    cmd = new SqlCommand ("update purchase set om='" + textBox2.Text + "', address='" + textBox3.Text + "', phone='" + maskedTextBox1.Text.ToString() + "',baled='" + numericUpDown2.Value + "',paid='" + textBox9.Text + "',status='" + textBox4.Text + "',balance='" + textBox10.Text + "' where cm='"+toolStripTextBox1.Text+"'", UGIcon);
                    SqlDataReader da;
                    da = cmd.ExecuteReader();
                    da.Close();
                    MessageBox.Show("Details has been updated sucessfully", "Update Window", MessageBoxButtons.OK, MessageBoxIcon.Information);
                    UGIcon.Close();
 
                }
            }
        }


if i update data using WHERE clause "toolstriptextbox" (if match found in toolstriptextbox its updating and displaying messagebox as Update successfully and if not match found its not updating BUT STILL its displaying same messagebox as Update successfully)
Posted 25-Jan-13 21:11pm

1 solution

Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

Don't use ExecuteReader with a UPDATE Query - use ExecuteNonQuery instead. It will return an integer value, which is the number of records affected. You can check this, and decide if there were any changes.

And do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

"i preferred this queries because in my college they teached this kind of queries.... now what kind of queries i have to use in project for safety.... if u suggest i will start to learn.... if u dont mind can u tell.. what i have to do....? to develop secured PROJECT(application)..."

UGIcon.Open();
cmd = new SqlCommand("UPDATE purchase SET om=@OM, address=@AD, phone=@PH, baled=@BE, paid=@PD, status=@ST, balance=@BL where cm=@CM", UGIcon);
cmd.Parameters.AddWithValue("@OM", textBox2.Text);
cmd.Parameters.AddWithValue("@AD", textBox3.Text);
cmd.Parameters.AddWithValue("@PH", maskedTextBox1.Text);
cmd.Parameters.AddWithValue("@BE", numericUpDown2.Value);
cmd.Parameters.AddWithValue("@PD", textBox9.Text);
cmd.Parameters.AddWithValue("@ST", textBox4.Text);
cmd.Parameters.AddWithValue("@BL", textBox10.Text);
cmd.Parameters.AddWithValue("@CM", toolStripTextBox1.Text);
int updated = cmd.ExecuteNonQuery();
if (updated == 0)
   {
   MessageBox.Show("No records were updated");
   }
else
   {
   MessageBox.Show("Details has been updated sucessfully", "Update Window", MessageBoxButtons.OK, MessageBoxIcon.Information);
   }
UGIcon.Close();
Depending on the values in your tables, you should check and convert your values to the appropriate datatypes (to prevent the user typing an alpha into a numeric field, and so on - but you should check all that at the top of your method anyway and not get this far if there is a problem.)

If your college doesn't teach you about SQL injection attacks, then you have a pretty poor lecturer. (And I would not suggest that you try to see what happens if you try one on his code - you might get expelled if you "accidentally" delete his tables...)
  Permalink  
v2
Comments
selva_1990 26-Jan-13 4:15am
   
if i use executenonquery it showing error
OriginalGriff 26-Jan-13 4:22am
   
And how did you use it?
selva_1990 26-Jan-13 4:29am
   
UGIcon.Open();
cmd = new SqlCommand("update purchase set om='" + textBox2.Text + "', address='" + textBox3.Text + "', phone='" + maskedTextBox1.Text.ToString() + "',baled='" + numericUpDown2.Value + "',paid='" + textBox9.Text + "',status='" + textBox4.Text + "',balance='" + textBox10.Text + "' where cm='" + toolStripTextBox1.Text + "'", UGIcon);
cmd.ExecuteNonQuery();
MessageBox.Show("Details has been updated sucessfully", "Update Window", MessageBoxButtons.OK, MessageBoxIcon.Information);
UGIcon.Close();


ya its working good
OriginalGriff 26-Jan-13 4:31am
   
No, it isn't.
You don't look at the return value, and decide if any updates where made, you just report that they were. (And your best mate can still destroy your database "for a laugh" without breaking into a sweat).
OriginalGriff 26-Jan-13 4:30am
   
As you probably noticed (since you deleted teh comment) ExecuteNonQuery returns an int - like I said - so you need to assign it to an int rather than a data adapter.
int affected = cmd.ExecuteNonQuery();
Would probably compile better...

And I wasn't joking about the parametrized query - anyone can destroy your DB by typing in the textboxes...
selva_1990 26-Jan-13 4:39am
   
i preferred this queries because in my college they teached this kind of queries.... now what kind of queries i have to use in project for safety.... if u suggest i will start to learn.... if u dont mind can u tell.. what i have to do....? to develop secured PROJECT(application)...
OriginalGriff 26-Jan-13 4:55am
   
Answer updated
selva_1990 26-Jan-13 5:29am
   
thank u very much :)
OriginalGriff 26-Jan-13 5:32am
   
You're welcome!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Mobile
Web02 | 2.8.160525.2 | Last Updated 26 Jan 2013
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100