Click here to Skip to main content
15,882,552 members
Please Sign up or sign in to vote.
2.67/5 (3 votes)
Hi,
I have a data grid and update this with sql command:
 string str = @"update dbo." + tblname + "";
 str += " set SettingValue = " + value + "";
 str += " where id = '" + id + "'";
 SqlCommand cm = new SqlCommand(str, MyConnection);
 MyConnection.Open();
 SqlDataReader re;
 re = cm.ExecuteReader();
 re.Close();
 MyConnection.Close();
BindGrid();

and give data from datagridview for 'tblname' , 'id' and 'value':
C#
int Id =Convert.ToInt32(dataGridView1.CurrentRow.Cells["id"].Value);
 string tblname = dataGridView1.CurrentRow.Cells["TableName"].Value.ToString();
 string val = textBox1.Text;
 MyUpdate(tbl, val, Id);

and this is query for Bind Datagridview:
XML
private void BindGrid()
        {
            dataGridView1.DataSource = bindingSource1;
            var str = @"SELECT  B.Id,  CASE WHEN b.settingdesc IS NULL THEN b.settingkey WHEN b.settingdesc = '' THEN b.SettingKey WHEN b.settingdesc <> '' THEN b.settingDesc END AS settingdesc,
                         'SysSettingsDep' AS TableName, B.SettingValue AS settingvalue
                    FROM         SysCustomer AS A INNER JOIN
                                            SysSettingsDep AS B ON A.SettingKey = B.SettingKey
                    UNION
                    SELECT  C.Id, CASE WHEN c.settingdesc IS NULL THEN c.SettingKey WHEN c.settingdesc = '' THEN c.SettingKey WHEN c.settingdesc <> '' THEN c.settingDesc END AS settingdesc,
                            'SysSettingsMachine' AS TableName, C.SettingValue AS settingvalue
                    FROM         SysCustomer AS A INNER JOIN
                                            SysSettingsMachine AS C ON A.SettingKey = C.SettingKey
                    UNION
                    SELECT  D.Id ,  CASE WHEN d .settingdesc IS NULL THEN d .SettingKey WHEN d .settingdesc = '' THEN d .SettingKey WHEN d .settingdesc <> '' THEN d .settingDesc END AS settingdesc,
                            'SysSettings' AS TableName, D.SettingValue AS settingvalue
                    FROM         SysCustomer AS A INNER JOIN
                                            SysSettings AS D ON A.SettingKey = d.SettingKey";

 SqlDataAdapter dataAdapter = new SqlDataAdapter(selectCommand, MyConnection);
 SqlCommandBuilder commandBuilder = new SqlCommandBuilder(dataAdapter);
 DataTable table = new DataTable();
 table.Locale = System.Globalization.CultureInfo.InvariantCulture;
 dataAdapter.Fill(table);
 bindingSource1.DataSource = table;       dataGridView1.AutoResizeColumns(DataGridViewAutoSizeColumnsMode.AllCellsExceptHeader);
        }


The problem here is that when I enter the number to be updated, but the characters do not update.
why?
help me
Posted
Updated 28-Oct-12 0:01am
v3
Comments
John d. Bartels 21-Oct-12 11:03am    
At the end of your BindGrid() method, try the following: "dataGridView1.Refresh();"
a1mimo 21-Oct-12 17:06pm    
I second John just add dataGridView1.Refresh(); at the end and it will update it
Max Vagner 22-Oct-12 17:10pm    
Off-topic: Your code is vulnerable to SQL injection. For example, If I enter "'' where 1=1--" in your textBox1, it will corrupt every single record in your database. You should avoid building SQL string. Use stored procedure instead.
amirmohamad 24-Oct-12 5:24am    
building sql string This method has the advantage Because I can do more operations on this Do you agree or not?
Max Vagner 25-Oct-12 7:19am    
You don't have to sacrifice convenience. It's possible to use SQL select statement with parameters which will prevent possibility of injection. Here's example:
SqlCommand cmd = new SqlCommand("SELECT * FROM Customers WHERE city = @City", conn);
SqlParameter param = new SqlParameter();
param.ParameterName = "@City";
param.Value = inputCity;

1 solution

here in your below code i found that you are going to update setting value .
in case of number it will update but in case of character you will get an error because of it is required quotation mark('')

string str = @"update dbo." + tblname + "";
str += " set SettingValue = " + value + "";
str += " where id = '" + id + "'";
SqlCommand cm = new SqlCommand(str, MyConnection);
MyConnection.Open();
SqlDataReader re;
re = cm.ExecuteReader();
re.Close();
MyConnection.Close();
BindGrid();


instead of above code try this one :
string str = @"update dbo." + tblname + "";
str += " set SettingValue = '" + value + "'";
str += " where id = '" + id + "'";
SqlCommand cm = new SqlCommand(str, MyConnection);
MyConnection.Open();
SqlDataReader re;
re = cm.ExecuteReader();
re.Close();
MyConnection.Close();
BindGrid();
 
Share this answer
 
Comments
amirmohamad 4-Nov-12 23:41pm    
wow that's good
thank's for help
+5
amirmohamad 4-Nov-12 23:58pm    
The problem for "" was in the second line?
""+value+""

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900