Insert and Updating in the same command code

Question

3.00/5 (1 vote)

See more:

I have a web form that a user can enter data and save it to the database. The user can save the data and come back to edit it later or finish it later. Lets say the user enters data and saves it top the database. Comes back later and sees that one or two numbers are incorrect and edit those numbers. The data that the user saved is populated back to the web form so the user can see what they entered. My question is, How can the user update the data without inserting a new record into the database?

Here is the code I have for populating the textboxes:

C#

if (!IsPostBack)
        {
            if (TextBoxUser_ID.Text.Trim().Length > 0)
            {
                SqlConnection con44 = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
                con44.Open();

                SqlCommand scmd44 = new SqlCommand("Select FT_UNDERGR, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, THCAS, FTE40, HC50, FTE4050 from Table44 where User_ID = '" + TextBoxUser_ID.Text + "'", con44);
                SqlDataReader dr44 = scmd44.ExecuteReader();
                if (dr44.Read())
                {
                    TextBoxFTUG.Text = dr44["FT_UNDERGR"].ToString();
                    TextBoxFTG.Text = dr44["FT_GRAD"].ToString();
                    TextBoxTHUGDR.Text = dr44["FTE_UNDERG"].ToString();
                    TextBoxTHGDR.Text = dr44["FTE_GRAD"].ToString();
                    TextBoxNCCDR.Text = dr44["NON_CREDIT"].ToString();
                    TextBoxTCNC.Text = dr44["TOTAL_FTE"].ToString();
                    TextBoxTNFUG.Text = dr44["FCFTUHC"].ToString();
                    TextBoxTNFG.Text = dr44["FCFTPBHC"].ToString();
                    TextBoxTNCPUG.Text = dr44["FCPTUHC"].ToString();
                    TextBoxTNCPG.Text = dr44["FCPTPBHC"].ToString();
                    TextBoxTNNCC.Text = dr44["NCHC"].ToString();
                    TextBoxFTE40.Text = dr44["FTE40"].ToString();
                    TextBoxHC50.Text = dr44["HC50"].ToString();
                    TextBoxFTE4050.Text = dr44["FTE4050"].ToString();
                    TextBoxTHUG.Text = dr44["UNDERG12"].ToString();
                    TextBoxTHG.Text = dr44["Postb9"].ToString();
                    TextBoxT1234.Text = dr44["TOTAL123b4b"].ToString();
                    TextBoxTHCAS.Text = dr44["THCAS"].ToString();
                }
                con44.Close();
                dr44.Close();

Here is the Insert code:

C#

protected void ButtonSave_Click(object sender, EventArgs e)
    {
        SqlConnection con7 = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        con7.Open();

        SqlCommand cmd = new SqlCommand("Insert into Table44 (User_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, FTEYR, THCAS, FTE40, HC50, FTE4050) values (@User_ID, @FT_UNDERGR, @DATE, @FT_GRAD, @FTE_UNDERG, @FTE_GRAD, @NON_CREDIT, @TOTAL_FTE, @FCFTUHC, @FCFTPBHC, @FCPTUHC, @FCPTPBHC, @NCHC, @UnderG12, @Postb9, @Total123b4b, @FTEYR, @THCAS, @FTE40, @HC50, @FTE4050);", con7);

        cmd.CommandType = CommandType.Text;

        cmd.Parameters.AddWithValue("@User_ID", TextBoxUser_ID.Text);
        cmd.Parameters.AddWithValue("@FT_UNDERGR", TextBoxFTUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FT_GRAD", TextBoxFTG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE_UNDERG", TextBoxTHUGDR.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE_GRAD", TextBoxTHGDR.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@NON_CREDIT", TextBoxNCCDR.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@TOTAL_FTE", TextBoxTCNC.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCFTUHC", TextBoxTNFUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCFTPBHC", TextBoxTNFG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCPTUHC", TextBoxTNCPUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCPTPBHC", TextBoxTNCPG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@NCHC", TextBoxTNNCC.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTEYR", lblYEAR1.Text);
        cmd.Parameters.AddWithValue("@DATE", TextBoxDATE.Text);
        cmd.Parameters.AddWithValue("@UnderG12", TextBoxTHUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@Postb9", TextBoxTHG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@Total123b4b", TextBoxT1234.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@THCAS", TextBoxTHCAS.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE40", TextBoxFTE40.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@HC50", TextBoxHC50.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE4050", TextBoxFTE4050.Text.Replace(",", ""));

        cmd.ExecuteNonQuery();

        if (Page.IsPostBack)
        {
            ScriptManager.RegisterStartupScript(this, typeof(Page), "myscript", "alert('You have successfully saved the electronic portion of the Enrollment Profile. You will now be direct to the Graduation Rate Information Page');location.href='Gradrate.aspx';", true);
        }

Posted 4-Nov-14 4:07am

Computer Wiz99

Add a Solution

Comments

Richard Deeming 4-Nov-14 13:13pm

Your SELECT code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

3 solutions

Solution 2

The "User_ID" field of table named "Table44" will be able to tell you whether it is an update or insert. This "User_ID" should be a primary key. Check the existence of the "User_ID" value to determine whether to insert or update.

Posted 4-Nov-14 4:41am

Peter Leow

Comments

Computer Wiz99 4-Nov-14 10:55am

Peter Leow, So my code should look like this: See my solution.

Solution 3

C#

SqlConnection con7 = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        con7.Open();
IF EXISTS (SELECT * FROM Table44 WHERE User_ID = @User_ID)
        UPDATE Table44 
        SET User_ID = @User_ID, FT_UNDERGR = @FT_UNDERGR, ..... 
        WHERE User_ID = @User_ID
     ELSE
        INSERT INTO Table44 (User_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, FTEYR, THCAS, FTE40, HC50, FTE4050) values (@USER_ID, @FT_UNDERGR, @DATE, @FT_GRAD, @FTE_UNDERG, @FTE_GRAD, @NON_CREDIT, @TOTAL_FTE, @FCFTUHC, @FCFTPBHC, @FCPTUHC, @FCPTPBHC, @NCHC, @UnderG12, @Postb9, @Total123b4b, @FTEYR, @THCAS, @FTE40, @HC50, @FTE4050);", con7);

cmd.CommandType = CommandType.Text;

        cmd.Parameters.AddWithValue("@User_ID", TextBoxUSER_ID.Text);
        cmd.Parameters.AddWithValue("@FT_UNDERGR", TextBoxFTUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FT_GRAD", TextBoxFTG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE_UNDERG", TextBoxTHUGDR.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE_GRAD", TextBoxTHGDR.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@NON_CREDIT", TextBoxNCCDR.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@TOTAL_FTE", TextBoxTCNC.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCFTUHC", TextBoxTNFUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCFTPBHC", TextBoxTNFG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCPTUHC", TextBoxTNCPUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FCPTPBHC", TextBoxTNCPG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@NCHC", TextBoxTNNCC.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTEYR", lblYEAR1.Text);
        cmd.Parameters.AddWithValue("@DATE", TextBoxDATE.Text);
        cmd.Parameters.AddWithValue("@UnderG12", TextBoxTHUG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@Postb9", TextBoxTHG.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@Total123b4b", TextBoxT1234.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@THCAS", TextBoxTHCAS.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE40", TextBoxFTE40.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@HC50", TextBoxHC50.Text.Replace(",", ""));
        cmd.Parameters.AddWithValue("@FTE4050", TextBoxFTE4050.Text.Replace(",", ""));

        cmd.ExecuteNonQuery();

Posted 4-Nov-14 4:57am

Computer Wiz99

Updated 4-Nov-14 5:01am

v2

Comments

Maciej Los 4-Nov-14 11:00am

No! Please, read again solution1. You need to create Stored procedure (using Microsoft SQL Managment Studio), then to call it from code.

Computer Wiz99 4-Nov-14 11:46am

Right now the data is saved into a table called table44. It is not the real table. It just holds the data until it is transferred to the real database and tables. I just need the user to insert their data if it doesn't exist and update if it does exist under the same button function.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

DamithSL · Accepted Answer · 2014-11-04T04:26:00

Solution 1

create stored procedure[^] to insert or update if record does not exist. sample sql:

SQL

IF EXISTS (SELECT * FROM YourTable WHERE pkid= @pkid)
        UPDATE YourTable 
        SET col1= @col1, ......
        WHERE pkid= @pkid
     ELSE
        INSERT INTO YourTable (col1, col2,...)

finally execute stored procedure from c# code

Posted 4-Nov-14 4:26am

DamithSL

Comments

Shweta N Mishra 4-Nov-14 10:36am

+5 :)

DamithSL 4-Nov-14 10:55am

thank you, shweta

Maciej Los 4-Nov-14 10:57am

Good advice. I'll add information about sql injection ;)
[EDIT]
+5, of course.