How to show textbox result before save database

Question

0.00/5 (No votes)

See more:

C#

con.Open();
              SqlCommand cmd = new SqlCommand("INSERT INTO tblPurchase (Pur_No,Bill_Challan_No,Pur_Date,Sup_Name,Item_Name,Qty,Rate,Total)VALUES('" + textBox1.Text + "','" + textBox2.Text + "','" + dateTimePicker1.Value.ToString("MM/dd/yyyy") + "','" + textBox6.Text + "','" + textBox3.Text + "','" + textBox4.Text + "','" + textBox5.Text + "','" + textBox7.Text + "')", con);
              cmd.ExecuteNonQuery();
              MessageBox.Show("Purchase Succesfully", "Successfully", MessageBoxButtons.OK, MessageBoxIcon.Information);
              Gridview();
              con.Close();

What I have tried:

I want to show result before save database in Total field.
Like Quantity*Rate=Total

Posted 13-Jan-17 2:58am

Methoun Ahmed

Updated 20-Jan-17 2:10am

Add a Solution

Comments

[no name] 13-Jan-17 9:03am

"I want to show result before save database in Total field.", okay so go ahead and do that if that is what you want to do. There is nothing stopping you. What might stop you though, is that SQL injection attack invitation you have coded up there.

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ) 13-Jan-17 9:10am

So where is the issue?

Richard Deeming 13-Jan-17 10:25am

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

2 solutions

Solution 2

As pointed out by OriginalGriff, always use parameters. One reason is to be safe from SQL injections, but there are a few other thing you should note

- at the moment you rely on implicit conversions on date and numeric values. For example what happens if the default date format for the database isn't MM/dd/yyyy, your conversion from dateTimePicker1.Value.ToString("MM/dd/yyyy") will fail. The same happens for example if 1,5 is entered in rate.
- you don't examine errors at all, you should have proper try..catch blocks to handle common errors, for example unique constraint violations
- you don't dispose objects. The easiest way is to use using blocks in your code in order to ensure proper disposal of resources

For the problems mentioned above, have a look at Properly executing database operations[^]

Now what comes to the Total field, I wouldn't necessarily use such column at all. If total is calculated based on Qty * Rate, I would create a computed column in the table instead. Currently if either quantity or rate changes you always need to update the total field correspondingly. Also you need to make sure that total cannot be edited; otherwise quantity and rate wouldn't make sense.

Having a computed column solves those problems, you always update the source values and the computation value is always correct based on the values fo mother columns and is read-only. For more information, have a look at Specify Computed Columns in a Table[^]

Posted 13-Jan-17 4:27am

Wendelius

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2017-01-13T03:12:00

Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead:

C#

using (SqlCommand cmd = new SqlCommand("INSERT INTO tblPurchase (Pur_No,Bill_Challan_No,Pur_Date,Sup_Name,Item_Name,Qty,Rate,Total)VALUES(@PN, @BCN, @PD, @SN, @IN, @QTY, @RA, @TOT), con))
   {
   cmd.Parameters.AddWithValue("@PN", textBox1.Text);
   cmd.Parameters.AddWithValue("@BCN", textBox2.Text);
   cmd.Parameters.AddWithValue("@PD", dateTimePicker1.Value);
   cmd.Parameters.AddWithValue("@SN", textBox6.Text);
   cmd.Parameters.AddWithValue("@IN", textBox3.Text);
   cmd.Parameters.AddWithValue("@QTY", textBox4.Text);
   cmd.Parameters.AddWithValue("@RA", textBox5.Text);
   cmd.Parameters.AddWithValue("@TOT", textBox7.Text);
   cmd.ExecuteNonQuery();
   ...

But even then, that's bad. Instead, your text boxes should be changed to values using TryParse methods and errors reported to the user first.

C#

int qty;
if (!int.TryParse(textBox4.Text, out qty))
   {
   ... report problem to user
   return;

If you do that for all numeric values, then your problem of displaying (or just checking) that quantity times rate equaling the total becomes trivial - you already know how to do that.

BTW: Do yourself a favour, and stop using Visual Studio default names for everything - you may remember that "TextBox8" is the mobile number today, but when you have to modify it in three weeks time, will you then? Use descriptive names - "tbMobileNo" for example - and your code becomes easier to read, more self documenting, easier to maintain - and surprisingly quicker to code because Intellisense can get to to "tbMobile" in three keystrokes, where "TextBox8" takes thinking about and 8 keystrokes...