Click here to Skip to main content
15,611,545 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
I have two columns in Datagridview
Which is Column1 and Column 2.
Column 1 contains names from a database table.
In the database, these names have different numbers and I want to sum all the numbers and display the results in Column 2.
But when I do that it displays 0 for all the names in Column 1

This is my code.

For each row As DatagridviewRow In Datagridview1. Rows

row.Cells ("Column2").Value = CDbl(sql = "Select Sum(total) from Assessment where fullname = '" & row.Cells("Column 1"). Values & "'"

cmd = New OleDbCommand (sql,conn)
dr = cm.ExecuteReader()

Catch ex As Exception
MsgBox (ex.Message)

End Try


Pleas help me out
Richard Deeming 21-Jan-16 10:09am    
Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
Richmond Boateng 21-Jan-16 10:52am    
Hello Rich, thanks for your comment, but I don't get you well and I would like to get in contact with you. So you can explain things further for me
Richard Deeming 21-Jan-16 11:12am    
Imagine what would happen if one value in Column 1 contained the following:
Robert'; DELETE FROM Assessment;--

Your code would then end up creating a command to execute:
Select Sum(total) from Assessment where fullname = 'Robert'; DELETE FROM Assessment;--'

SQL will see that as three queries:
1. Select Sum(total) from Assessment where fullname = 'Robert';
2. DELETE FROM Assessment;
3. --' (a commented-out line)

It will execute the first two queries, and ignore the comment at the end. This will delete everything from your table!

This is called SQL Injection, and is one of the easiest security vulnerabilities to exploit. A single SQLi vulnerability in your code can cause enormous damage.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
SQL injection attack mechanics | Pluralsight [^]
Richard Deeming 21-Jan-16 10:10am    
Rather than executing a new query for every row returned by the first query, it would be better to combine the two queries.

Click "Improve question" and update your question with the details of the query which provides the values for Column 1, and the structure of your tables.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900