update function in visual basic 2012 OOP method

Question

1.00/5 (1 vote)

See more:

i'm working on a coding for update function in visual studio 2012 but, there is an "invalidcastexception was unhandled" error.

this is the coding for update function in windows form:

VB

Private Sub btnupdate_Click(sender As Object, e As EventArgs) Handles btnupdate.Click
        ClassSiswa.Nis = txt_nis.Text
        ClassSiswa.Nisn = txt_nisn.Text
        ClassSiswa.Jenis_Kelamin = cmb_kelaminsiswa.Text
        ClassSiswa.Kota_Lahir = txt_kotalahir.Text
        ClassSiswa.Tanggal_Lahir = DTP_siswa.Text
        ClassSiswa.Agama = cmb_agamasiswa.Text
        ClassSiswa.Berat_Badan = txt_beratsiswa.Text
        ClassSiswa.Tinggi_Badan = txt_tinggi_badan.Text
        ClassSiswa.EditData(ClassSiswa.opencon, txt_nis.Text)
        MessageBox.Show(" Data Telah Diupdate")
        ClassKoneksi.closecon()
        datagridview()

    End Sub

and this is the class for the function:

Public Class ClassSiswa
    Inherits ClassKoneksi

    Private Shared _Nis, _Nisn, _Berat_Badan, _Tinggi_Badan As Integer
    Private Shared _Nama_Siswa, _Jenis_Kelamin, _Kota_Lahir, _Agama As String
    Private Shared _Tanggal_Lahir As Date
    Public Shared Property Nis() As Integer
        Get
            Return _Nis
        End Get
        Set(ByVal value As Integer)
            _Nis = value
        End Set
    End Property
    Public Shared Property Nisn() As Integer
        Get
            Return _Nisn
        End Get
        Set(ByVal value As Integer)
            _Nisn = value
        End Set
    End Property
    Public Shared Property Berat_Badan() As Integer
        Get
            Return _Berat_Badan
        End Get
        Set(ByVal value As Integer)
            _Berat_Badan = value
        End Set
    End Property
    Public Shared Property Tinggi_Badan() As Integer
        Get
            Return _Tinggi_Badan
        End Get
        Set(ByVal value As Integer)
            _Tinggi_Badan = value
        End Set
    End Property
    Public Shared Property Nama_Siswa() As String
        Get
            Return _Nama_Siswa
        End Get
        Set(ByVal value As String)
            _Nama_Siswa = value
        End Set
    End Property
    Public Shared Property Jenis_Kelamin() As String
        Get
            Return _Jenis_Kelamin
        End Get
        Set(ByVal value As String)
            _Jenis_Kelamin = value
        End Set
    End Property
    Public Shared Property Kota_Lahir() As String
        Get
            Return _Kota_Lahir
        End Get
        Set(ByVal value As String)
            _Kota_Lahir = value
        End Set
    End Property
    Public Shared Property Tanggal_Lahir() As Date
        Get
            Return _Tanggal_Lahir
        End Get
        Set(ByVal value As Date)
            _Tanggal_Lahir = value
        End Set
    End Property
    Public Shared Property Agama() As String
        Get
            Return _Agama
        End Get
        Set(ByVal value As String)
            _Agama = value
        End Set
    End Property
    
    Public Shared Sub EditData(ByVal _cn As SqlClient.SqlConnection, ByVal Nis As Integer)
        Dim sql As New SqlClient.SqlCommand
        sql.Connection = _cn
        sql.CommandType = CommandType.Text = "update siswa set Nis ='" & Nisn & "',Nama_Siswa='" & Nama_Siswa & "',Jenis_Kelamin='" & Jenis_Kelamin & "',Kota_Lahir='" & Kota_Lahir & "',Tanggal_Lahir='" & Tanggal_Lahir & "',Agama='" & Agama & "',Berat_Badan='" & Berat_Badan & "',Tinggi_Badan='" & Tinggi_Badan & "'where Nis='" & Nis & "'"
        ClassSiswa.cmd.ExecuteNonQuery()
        sql.ExecuteNonQuery()
    End Sub

and this is the SQL query:

Create Database KPIRWAN
use KPIRWAN

Create Table siswa 
(
Nis int,
Nisn int,
Nama_Siswa varchar(40),
Jenis_Kelamin varchar (10),
Kota_Lahir varchar (10),
Tanggal_Lahir date,
Agama varchar (10),
Berat_Badan int,
Tinggi_Badan int)

the function i want is after i searched the data with search button, the data can be changed or updated with update button.

the problem is:
in the btnupdate coding, when i tried to update data in form the error said
Conversion from string "" to type 'Integer' is not valid for:

ClassSiswa.Nis = txt_nis.Text

or

Conversion from string "" to type 'date' is not valid for:

ClassSiswa.Tanggal_Lahir = DTP_siswa.Text

how do fix this error?

Posted 30-Apr-15 23:47pm

asasql

Updated 2-May-15 23:16pm

v5

Add a Solution

Comments

Richard Deeming 1-May-15 8:24am

Your code is STILL vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

2 solutions

Solution 2

You cannot set an integer or a date value directly from a text string. They first need to be converted to the correct type, by one of the Parse[^] or TryParse methods.

You should also not use string concetenation for your SQL commands, use proper parameterised queries.

Posted 30-Apr-15 23:59pm

Richard MacCutchan

Comments

asasql 1-May-15 10:09am

what proper parameterised queries that i should use on my sql command?

Sergey Alexandrovich Kryukov 1-May-15 11:52am

Please see Solution 3.
—SA

Sergey Alexandrovich Kryukov 1-May-15 11:47am

5ed.
—SA

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2015-05-01T05:51:00

Solution 2 explains you what do to instead of the cast, and let's look at your query obtained by string concatenation.

The query is composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA