How to display sum of data in datagridview

Question

1.00/5 (2 votes)

See more:

I have two columns in Datagridview
Which is Column1 and Column 2.
Column 1 contains names from a database table.
In the database, these names have different numbers and I want to sum all the numbers and display the results in Column 2.
But when I do that it displays 0 for all the names in Column 1

This is my code.

For each row As DatagridviewRow In Datagridview1. Rows

Try
row.Cells ("Column2").Value = CDbl(sql = "Select Sum(total) from Assessment where fullname = '" & row.Cells("Column 1"). Values & "'"

conn()
cmd = New OleDbCommand (sql,conn)
dr = cm.ExecuteReader()

Catch ex As Exception
MsgBox (ex.Message)

End Try

Next

Pleas help me out

Posted 21-Jan-16 0:28am

Richmond Boateng

Add a Solution

Comments

Richard Deeming 21-Jan-16 10:09am

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Richmond Boateng 21-Jan-16 10:52am

Hello Rich, thanks for your comment, but I don't get you well and I would like to get in contact with you. So you can explain things further for me

Richard Deeming 21-Jan-16 11:12am

Imagine what would happen if one value in Column 1 contained the following:
Robert'; DELETE FROM Assessment;--

Your code would then end up creating a command to execute:
Select Sum(total) from Assessment where fullname = 'Robert'; DELETE FROM Assessment;--'

SQL will see that as three queries:
1. Select Sum(total) from Assessment where fullname = 'Robert';
2. DELETE FROM Assessment;
3. --' (a commented-out line)

It will execute the first two queries, and ignore the comment at the end. This will delete everything from your table!

This is called SQL Injection, and is one of the easiest security vulnerabilities to exploit. A single SQLi vulnerability in your code can cause enormous damage.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
SQL injection attack mechanics | Pluralsight [^]

Richard Deeming 21-Jan-16 10:10am

Rather than executing a new query for every row returned by the first query, it would be better to combine the two queries.

Click "Improve question" and update your question with the details of the query which provides the values for Column 1, and the structure of your tables.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)