Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C# SQL-Server
private void toolStripButton3_Click_1(object sender, EventArgs e)
        {
 
            int damage = Convert.ToInt16(numericUpDown1.Value);
            if (textBox2.Text == "")
            {
                errorProvider1.SetError(textBox2, "Provide Owner name");
            }
            else if (textBox3.Text == "")
            {
                errorProvider1.SetError(textBox3, "Provide Address");
            }
            else if ((maskedTextBox1.Text.Trim().Length <= 10))
            {
                MessageBox.Show("Provide full phone number");
            }
            else if (numericUpDown2.Value >= damage)
            {
                MessageBox.Show("check Damage quantity");
            }
            else
            {
                int a = 0, b = 0, c = 0;
 
                if (!int.TryParse(textBox5.Text,
                                    System.Globalization.NumberStyles.Integer,
                                    System.Globalization.CultureInfo.CurrentUICulture,
                                    out a))
                {
                    MessageBox.Show("u need to enter value");
                }
 
                else if (!int.TryParse(textBox9.Text,
                                    System.Globalization.NumberStyles.Integer,
                                    System.Globalization.CultureInfo.CurrentUICulture,
                                    out b))
                {
                    MessageBox.Show("u entered greater value");
                }
                else if (b > a)
                {
                    MessageBox.Show("ur amount greater then total");
 
                }
                else
                {
                    c = a - b;
                    textBox10.Text = c.ToString(System.Globalization.CultureInfo.CurrentUICulture);
                    
                    UGIcon.Open();
                    cmd = new SqlCommand ("update purchase set om='" + textBox2.Text + "', address='" + textBox3.Text + "', phone='" + maskedTextBox1.Text.ToString() + "',baled='" + numericUpDown2.Value + "',paid='" + textBox9.Text + "',status='" + textBox4.Text + "',balance='" + textBox10.Text + "' where cm='"+toolStripTextBox1.Text+"'", UGIcon);
                    SqlDataReader da;
                    da = cmd.ExecuteReader();
                    da.Close();
                    MessageBox.Show("Details has been updated sucessfully", "Update Window", MessageBoxButtons.OK, MessageBoxIcon.Information);
                    UGIcon.Close();
 
                }
            }
        }
 

if i update data using WHERE clause "toolstriptextbox" (if match found in toolstriptextbox its updating and displaying messagebox as Update successfully and if not match found its not updating BUT STILL its displaying same messagebox as Update successfully)
Posted 25-Jan-13 21:11pm

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Don't use ExecuteReader with a UPDATE Query - use ExecuteNonQuery instead. It will return an integer value, which is the number of records affected. You can check this, and decide if there were any changes.
 
And do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
 
"i preferred this queries because in my college they teached this kind of queries.... now what kind of queries i have to use in project for safety.... if u suggest i will start to learn.... if u dont mind can u tell.. what i have to do....? to develop secured PROJECT(application)..."
 
UGIcon.Open();
cmd = new SqlCommand("UPDATE purchase SET om=@OM, address=@AD, phone=@PH, baled=@BE, paid=@PD, status=@ST, balance=@BL where cm=@CM", UGIcon);
cmd.Parameters.AddWithValue("@OM", textBox2.Text);
cmd.Parameters.AddWithValue("@AD", textBox3.Text);
cmd.Parameters.AddWithValue("@PH", maskedTextBox1.Text);
cmd.Parameters.AddWithValue("@BE", numericUpDown2.Value);
cmd.Parameters.AddWithValue("@PD", textBox9.Text);
cmd.Parameters.AddWithValue("@ST", textBox4.Text);
cmd.Parameters.AddWithValue("@BL", textBox10.Text);
cmd.Parameters.AddWithValue("@CM", toolStripTextBox1.Text);
int updated = cmd.ExecuteNonQuery();
if (updated == 0)
   {
   MessageBox.Show("No records were updated");
   }
else
   {
   MessageBox.Show("Details has been updated sucessfully", "Update Window", MessageBoxButtons.OK, MessageBoxIcon.Information);
   }
UGIcon.Close();
Depending on the values in your tables, you should check and convert your values to the appropriate datatypes (to prevent the user typing an alpha into a numeric field, and so on - but you should check all that at the top of your method anyway and not get this far if there is a problem.)
 
If your college doesn't teach you about SQL injection attacks, then you have a pretty poor lecturer. (And I would not suggest that you try to see what happens if you try one on his code - you might get expelled if you "accidentally" delete his tables...)
  Permalink  
v2
Comments
selva_1990 at 26-Jan-13 4:15am
   
if i use executenonquery it showing error
OriginalGriff at 26-Jan-13 4:22am
   
And how did you use it?
selva_1990 at 26-Jan-13 4:29am
   
UGIcon.Open();
cmd = new SqlCommand("update purchase set om='" + textBox2.Text + "', address='" + textBox3.Text + "', phone='" + maskedTextBox1.Text.ToString() + "',baled='" + numericUpDown2.Value + "',paid='" + textBox9.Text + "',status='" + textBox4.Text + "',balance='" + textBox10.Text + "' where cm='" + toolStripTextBox1.Text + "'", UGIcon);
cmd.ExecuteNonQuery();
MessageBox.Show("Details has been updated sucessfully", "Update Window", MessageBoxButtons.OK, MessageBoxIcon.Information);
UGIcon.Close();
 

ya its working good
OriginalGriff at 26-Jan-13 4:31am
   
No, it isn't.
You don't look at the return value, and decide if any updates where made, you just report that they were. (And your best mate can still destroy your database "for a laugh" without breaking into a sweat).
OriginalGriff at 26-Jan-13 4:30am
   
As you probably noticed (since you deleted teh comment) ExecuteNonQuery returns an int - like I said - so you need to assign it to an int rather than a data adapter.
int affected = cmd.ExecuteNonQuery();
Would probably compile better...
 
And I wasn't joking about the parametrized query - anyone can destroy your DB by typing in the textboxes...
selva_1990 at 26-Jan-13 4:39am
   
i preferred this queries because in my college they teached this kind of queries.... now what kind of queries i have to use in project for safety.... if u suggest i will start to learn.... if u dont mind can u tell.. what i have to do....? to develop secured PROJECT(application)...
OriginalGriff at 26-Jan-13 4:55am
   
Answer updated
selva_1990 at 26-Jan-13 5:29am
   
thank u very much :)
OriginalGriff at 26-Jan-13 5:32am
   
You're welcome!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Sergey Alexandrovich Kryukov 543
1 OriginalGriff 384
2 George Jonsson 258
3 Abdul Samad KP 135
4 Animesh Datta 130
0 OriginalGriff 6,099
1 Sergey Alexandrovich Kryukov 5,411
2 CPallini 4,770
3 George Jonsson 3,400
4 Gihan Liyanage 2,522


Advertise | Privacy | Mobile
Web04 | 2.8.140916.1 | Last Updated 26 Jan 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100