This is a quick mock up of how I would rewrite this. There are several changes done.
1. Validate. Check to make sure your text-boxes are filled and contain valid data
2.
using block. This makes sure that your SqlConnection is disposed of properly
3. Parameterization. This is the best way to avoid SQL Injection
4. Evaluation. Check how many rows were actually affected by your SQL Command
int RowsAffected = -1;
string MessageboxContent = string.Empty;
int EmployeeID = -1;
string Firstname = textBox2.Trim();
if ((int.TryParse(textBox1, out EmployeeID) && (Firstname.length > 0)) {
using (SqlConnection sqlcon = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=C:\\Users\\john\\Documents\\Visual Studio 2010\\Projects\\Login\\Login\\dblogin.mdf;Integrated Security=True;Connect Timeout=30;User Instance=True")) {
sqlcon.Open();
SqlCommand cmd = new SqlCommand("UPDATE tbl_employee SET Firstname= @Firstname WHERE Employee_ID= @EmployeeID", sqlcon);
cmd.Parameters.AddWithValue("@Firstname", Firstname);
cmd.Parameters.AddWithValue("@EmployeeID", EmployeeID);
RowsAffected = cmd.ExecuteNonQuery();
sqlcon.Close();
}
}
switch (RowsAffected) {
case -1: MessageboxContent = "Invalid data entereed"; break;
case 0: MessageboxContent = "Employee not found, record not updated";
case -1: MessageboxContent = "Record has been updated Successfully";
default: MessageboxContent = string.Format("Error: {0} records updated", RowAffected); break;
}
MessageBox.Show(MessageboxContent);