how to update user on navicat using c# visual studio
when i click the picture button it can't update user
Activity = "";
Con.InitializeConnection(Server, "maternal");
string add = textBox9.Text + " " + textBox10.Text + " " + textBox11.Text;
string sql = "UPDATE tb_maternal_masterlist SET lname = '" + textBox2.Text + "', fname='" + textBox3.Text + "', mname='" + textBox4.Text +
"', age='" + textBox5.Text + "', birth='" + dateTimePicker1.Text + "', occupation='" + textBox6.Text + "', sex='" + textBox7.Text +
"', marital='" + comboBox2.Text + "', zip='" + textBox8.Text + "', address='" + add + "', street='" + textBox9.Text +
"', barangay='" + textBox10.Text + "', city='" + textBox11.Text + "', hlname='" + textBox12.Text + "', hfname='" + textBox13.Text +
"', hmname='" + textBox14.Text + "', hsuffix='" + textBox15.Text + "', hage='" + textBox16.Text + "', hoccupation='" + textBox17.Text +
"', hcontact='" + textBox18.Text + "', religion='" + textBox1.Text + "', " + "marriage='" + textBox49.Text + "', hreligion='" + textBox48.Text +
"', nocba='" + textBox19.Text + "', nocbl='" + textBox20.Text + "', noa='" + textBox21.Text + "', nosb='" + textBox22.Text +
"', familyplanning='" + cbx1.Text + "', method='" + textBox23.Text + "', willing='" + cbx2.Text + "', menshistory='" + textBox46.Text +
"', gravida='" + textBox40.Text + "', " + "para='" + textBox41.Text + "', hemorage='" + cbx3.Text + "', toxemia='" + cbx4.Text +
"', placenta='" + cbx5.Text + "', sepsis='" + cbx6.Text + "', famhistory='" + textBox42.Text + "', nausea='" + cbx7.Text +
"', vomiting='" + cbx8.Text + "', headache='" + cbx9.Text + "', dizziness='" + cbx10.Text + "', edema='" + cbx11.Text + "', pruritus='" + cbx12.Text +
"', " + "constipation='" + cbx13.Text + "', cramps='" + cbx14.Text + "', bleeding='" + cbx15.Text + "', leucorrhea='" + cbx16.Text +
"', indigestion='" + cbx17.Text + "', blurring='" + cbx18.Text + "', lastmens='" + textBox24.Text + "', expectmens='" + textBox25.Text +
"', aptype='" + cbx19.Text + "', riskcode='" + textBox26.Text + "', " + "lastdelivery='" + textBox27.Text +
"', placedelivery='" + textBox28.Text + "', tt1='" + textBox29.Text + "', tt2='" + textBox30.Text + "', tt3='" + textBox31.Text +
"', tt4='" + textBox32.Text + "', tt5='" + textBox33.Text + "', special='" + textBox47.Text + "' where pincode='" + FUCKINGPINCODE + "'";
Con.UpdateData(Con.ConString, sql);
Activity = "Updating Patient Info and History";
MessageBox.Show("PATIENT INFO AND HISTORY SUCCESSFULLY UPDATED!");
SaveActivity();
this.Close();
Related
I have a DataGridView in my first form and I made a second form to create a Database entry with following code:
clsMSSQL.clsMSSQL ticket = new clsMSSQL.clsMSSQL(5);
string query = "INSERT INTO ticket.support (Betreff, Problembeschreibung, Kategorie, Ersteller, Bearbeiter, E-Mail, Abteilung) " +
"Values('" + textBox1.Text + "', '" + textBox2.Text + "', '" + comboBox1.Text + "', '" + textBox4.Text + "', '" + textBox5.Text + "', '" + textBox8.Text + "', '" + comboBox3.Text + "')";
ticket.Query(query);
ticket.Close();
myDGW.Refresh();
this.Close();
Now I made a third form which should be a able to get the selected row from the first form and change the values with the Textboxes.
I tried this:
clsMSSQL.clsMSSQL ticket = new clsMSSQL.clsMSSQL(5);
string query = "UPDATE ticket.support SET = (Betreff, Problembeschreibung, Kategorie, Ersteller, Bearbeiter, E-Mail, Abteilung) " +
"Values('" + textBox1.Text + "', '" + textBox2.Text + "', '" + comboBox1.Text + "', '" + textBox4.Text + "', '" + textBox5.Text + "', '" + textBox8.Text + "', '" + comboBox3.Text + "') WHERE id='" + dataGridView1.Rows[i].Cells[11].Value.ToString() + "'";
ticket.Query(query);
ticket.Close();
myDGW.Refresh();
this.Close();
But it doesnt work.
my command Text criteria must find the User ID and the date. the User ID works fine but not with Date criteria
the database will have multiple lines with the user id but the dates will be different
here is my code....
// UPDATE
var workingDate = dateTimePicker2.Value.ToString("yyyy/MM/dd").Trim();
OleDbCommand cmd15 = new OleDbCommand();
cmd15.Connection = connect;
cmd15.CommandText = "UPDATE WorkTable SET Actual_HoursWe1='" + Actual_HoursWe + "', Paid_HoursWE1='" + Paid_HoursWE + "', NSWE1='" + NSWE + "', OT1WE1='" + OT1WE + "', OT_21='" + OT1WE + "', PBWE1='" + PBWE + "', Actual_HoursTH1='" + Actual_HoursTH + "', Paid_HoursTH1='" + Paid_HoursTH + "', NSTH1='" + NSTH + "', OT1TH1='" + OT1TH + "', OT2TH1='" + OT2TH + "', PBTH1='" + PBTH + "', Actual_HoursFR1='" + Actual_HoursFR + "', Paid_HoursFr1='" + Paid_HoursFr + "', NSFR1='" + NSFR + "', OT2FR1='" + OT2FR + "', OT1FR1='" + OT1FR + "', PBFR1='" + PBFR + "', Actual_HoursSA1 ='" + Actual_HoursSA + "', Paid_HoursSA1='" + Paid_HoursSA + "', NSSA1='" + NSSA + "', OT1SA1='" + OT1SA + "', OT2SA1='" + OT2SA + "', PBSA1='" + PBSA + "', Actual_HoursSU1='" + Actual_HoursSU + "', OT2SU1='" + OT2SU + "', PBSU1='" + PBSU + "', Actual_HoursMO1='" + Actual_HoursMO + "', Paid_HoursMO1='" + Paid_HoursMO + "', NSMO1='" + NSMO + "', OT1MO1='" + OT1MO + "', OT2MO1='" + OT2MO + "', PBMO1='" + PBMO + "', Actual_HoursTU1='" + Actual_HoursTU + "', Paid_HourseU1='" + Paid_HourseU + "', NSTU1='" + NSTU + "', OT1TU1='" + OT1TU + "', OT2TU1='" + OT2TU + "', PBTU1='" + PBTU + "', Paid_Hrs1='" + Paid_Hrs + "', TotalOT151='" + TotalOT15 + "', TotalOT21='" + TotalOT2 + "', TotalNS1='" + TotalNS + "', TotalPB1='" + TotalPB + "' WHERE User_ID ='" + User_ID + "' AND DateWE =" + workingDate ;
cmd15.ExecuteNonQuery();
}
connect.Close();
}
it gives me an error on the end of the criteria
Hi guys I have this problem in my string query in inserting data in c#. I know that my query is correct, because when I type some random words it saves. But when I typed the correct data in textbox it keeps getting error in the syntax. and my codes below
try
{
string connStr = "server = 127.0.0.1; uid = root; " + "pwd =; database = scco";
string Query = " insert into scco.m_information (accno,tom,sname,gname,mname,gender,cno,father,mother,bday,age,email,educattain,cstatus,preadd,proadd,yres,residency,toj,comname,comadd,ccno,mincome,oincome,moincome,daccepted,ICS,BOD,DOP,NOS,AOS,YA,spname,spdad,spmom,stoj,scname,scadd,sccno,smi,nc1,stat1,kind1,inc1,allow1,nc2,stat2,kind2,inc2,allow2,nc3,stat3,kind3,inc3,allow3,nc4,stat4,kind4,inc4,allow4,nc5,stat5,kind5,inc5,allow5,nc6,stat6,kind6,inc6,allow6,befname,befrel,refname,refcno) values ('" + this.txtID.Text + "','" + tom + "', '" + this.txtSname.Text + "', '" + this.txtGname.Text + "', '" + this.txtMname.Text + "', '" + gender + "', '" + this.txtCno.Text + "', '" + this.txtDad.Text + "', '" + this.txtMom.Text + "', '" + this.dBirth.Text + "', '" + this.txtAge.Text + "', '" + this.txtEmail.Text + "', '" + this.cmbEducAttain.Text + "', '" + cstatus + "', '" + this.rtbPreAdd.Text + "', '" + this.rtbProAdd.Text + "', '" + this.txtYRes.Text + "', '" + residency + "','" + toj + "', '" + this.rtbComp.Text + "', '" + this.rtbCadd.Text + "', '" + this.txtCCno.Text + "', '" + this.txtMincome.Text + "', '" + this.txtOSincome.Text + "', '" + this.txtIncome.Text + "','" + this.dAccepted.Text + "', '" + this.txtIcs.Text + "', '" + this.txtBod.Text + "', '" + this.txtdop.Text + "', '" + this.txtnos.Text + "', '" + this.txtaos.Text + "', '" + this.txtya.Text + "','" + this.txtSpName.Text + "', '" + this.txtSFname.Text + "', '" + this.txtSMname.Text + "', '" + stoj + "', '" + this.rtbpscomname.Text + "', '" + this.rtbspcomadd.Text + "', '" + this.txtspccno.Text + "', '" + this.txtspminc.Text + "', '" + this.txtChild1.Text + "', '" + this.cmbCStatus1.Text + "', '" + this.cmbKind1.Text + "', '" + this.txtA1.Text + "', '" + this.txtI1.Text + "', '" + this.txtChild2.Text + "', '" + this.cmbCStatus2.Text + "', '" + this.cmbKind2.Text + "', '" + this.txtA2.Text + "', '" + this.txtI2.Text + "', '" + this.txtChild3.Text + "', '" + this.cmbCStatus3.Text + "', '" + this.cmbKind3.Text + "', '" + this.txtA3.Text + "', '" + this.txtI3.Text + "', '" + this.txtChild4.Text + "', '" + this.cmbCStatus4.Text + "', '" + this.cmbKind4.Text + "', '" + this.txtA4.Text + "', '" + this.txtI4.Text + "', '" + this.txtChild5.Text + "', '" + this.cmbCStatus5.Text + "', '" + this.cmbKind5.Text + "', '" + this.txtA5.Text + "', '" + this.txtI5.Text + "', '" + this.txtChild6.Text + "', '" + this.cmbCStatus6.Text + "', '" + this.cmbKind6.Text + "', '" + this.txtA6.Text + "', '" + this.txtI6.Text + "','" + this.rtbBefName.Text + "','" + this.rtbBefRel.Text + "','" + this.rtbRefName.Text + "','" + this.rtbRefCno.Text + "');";
MySqlConnection conn = new MySqlConnection(connStr);
MySqlCommand MyCommand = new MySqlCommand(Query, conn);
MySqlDataReader MyReader;
conn.Open();
MyReader = MyCommand.ExecuteReader();
while (MyReader.Read())
{
}
conn.Close();
See this picture below.
Here's the output
To me it looks like something in your data has an apostrophe in it, so when it is being appended to your query string it is thinking that it is a SQL single quote. You will have to escape or translate the apostrophe first.
Use parameters to avoid SQL injection. Read below or the awesome comic above!
Good luck!
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx
add MyReader.Close() above conn.Close().
i have a class that takes search input and uses it to query a database table.
however when i press the button and call the class, i see that it shows that there is nothing in the input box ,and just shows me my messageBox message which says invalid search input(catering for nothing entered).
how can i make the class to read whats in the form search text box at the right time so that it can process further information to go on with its fucntion.
here is code for the class:
public static string s;
public static updateEmployeeForm uF = new updateEmployeeForm();
public static void selectAndDisplay()
{
if ((uF.textID.Text.Length==0))
{
MessageBox.Show("Enter valid input to search by");
}
else
{
try
{
if (uF.textID.Text.Length > 0)
{
s = "select * FROM mydb.employees WHERE id =" + int.Parse(uF.textID.Text);//declare variable called column that will contain a table column name set to be updated.
uF.colName = "id";
uF.updatingVar = uF.textID.Text;
uF.query4 = "Update mydb.employees SET name ='" + uF.nameTextBoxU.Text + "', surname='" + uF.surnameTextBoxU.Text + "', dept='" + uF.deptTextBoxU.Text + "', cost_center='" + uF.costCeTextBoxU.Text + "' ,address = '" + uF.addressTextBoxU.Text + "', dob= '" + uF.dobTextBoxU.Text + "', tel1= '" + uF.tel1TextBoxU.Text + "', tel2= '" + uF.tel2TextBoxU.Text + "' ,tel3= '" + uF.tel3TextBoxU.Text + "', email= '" + uF.emailTextBoxU.Text + "', commission= '" + uF.commTextBoxU.Text + "', total_commission= '" + uF.totalCommTextBoxU.Text + "', sick_leave= '" + uF.sickLTextBoxU.Text + "', annual_leave= '" + uF.annualLTextBoxU.Text + "', family_leave= '" + uF.familyLTextBoxU.Text + "', other_leave= '" + uF.otherLTextBoxU.Text + "',client_care_access='" + uF.clientCareChBox.Checked + "', sale_system_access='" + uF.StaffSystChBox.Checked + "', sale_system_access ='" + uF.SalesSystChBox.Checked + "', uploads_access='" + uF.UploadsChBox.Checked + "' WHERE id= '" + uF.updatingVar + "';";
}
else if (uF.idNumSearchTxtBox.Text.Length > 0)
{
s = "select * FROM mydb.employees WHERE id_num ='" + uF.idNumSearchTxtBox.Text + "';";
uF.colName = "id_num";
uF.updatingVar = uF.idNumSearchTxtBox.Text;
uF.query4 = "Update mydb.employees SET name ='" + uF.nameTextBoxU.Text + "', surname='" + uF.surnameTextBoxU.Text + "', dept='" + uF.deptTextBoxU.Text + "', cost_center='" + uF.costCeTextBoxU.Text + "' ,address = '" + uF.addressTextBoxU.Text + "', dob= '" + uF.dobTextBoxU.Text + "', tel1= '" + uF.tel1TextBoxU.Text + "', tel2= '" + uF.tel2TextBoxU.Text + "' ,tel3= '" + uF.tel3TextBoxU.Text + "', email= '" + uF.emailTextBoxU.Text + "', commission= '" + uF.commTextBoxU.Text + "', total_commission= '" + uF.totalCommTextBoxU.Text + "', sick_leave= '" + uF.sickLTextBoxU.Text + "', annual_leave= '" + uF.annualLTextBoxU.Text + "', family_leave= '" + uF.familyLTextBoxU.Text + "', other_leave= '" + uF.otherLTextBoxU.Text + "',client_care_access='" + uF.clientCareChBox.Checked + "', sale_system_access='" + uF.StaffSystChBox.Checked + "', sale_system_access ='" + uF.SalesSystChBox.Checked + "', uploads_access='" + uF.UploadsChBox.Checked + "' WHERE id_num= '" + uF.updatingVar + "';";
}
else if (uF.nameSearchTextBox.Text.Length > 0)
{
s = "select * FROM mydb.employees WHERE name ='" + uF.nameSearchTextBox.Text + "';";
uF.colName = "name";
uF.updatingVar = uF.nameSearchTextBox.Text;
uF.query4 = "Update mydb.employees SET name ='" + uF.nameTextBoxU.Text + "', surname='" + uF.surnameTextBoxU.Text + "', dept='" + uF.deptTextBoxU.Text + "', cost_center='" + uF.costCeTextBoxU.Text + "' ,address = '" + uF.addressTextBoxU.Text + "', dob= '" + uF.dobTextBoxU.Text + "', tel1= '" + uF.tel1TextBoxU.Text + "', tel2= '" + uF.tel2TextBoxU.Text + "' ,tel3= '" + uF.tel3TextBoxU.Text + "', email= '" + uF.emailTextBoxU.Text + "', commission= '" + uF.commTextBoxU.Text + "', total_commission= '" + uF.totalCommTextBoxU.Text + "', sick_leave= '" + uF.sickLTextBoxU.Text + "', annual_leave= '" + uF.annualLTextBoxU.Text + "', family_leave= '" + uF.familyLTextBoxU.Text + "', other_leave= '" + uF.otherLTextBoxU.Text + "',client_care_access='" + uF.clientCareChBox.Checked + "', sale_system_access='" + uF.StaffSystChBox.Checked + "', sale_system_access ='" + uF.SalesSystChBox.Checked + "', uploads_access='" + uF.UploadsChBox.Checked + "' WHERE name= '" + uF.updatingVar + "';";
}
else if (uF.surnameSearchTextBox.Text.Length > 0)
{
s = "select * FROM mydb.employees WHERE surname ='" + uF.surnameSearchTextBox.Text + "';";
uF.colName = "surname";
uF.updatingVar = uF.surnameSearchTextBox.Text;
uF.query4 = "Update mydb.employees SET name ='" + uF.nameTextBoxU.Text + "', surname='" + uF.surnameTextBoxU.Text + "', dept='" + uF.deptTextBoxU.Text + "', cost_center='" + uF.costCeTextBoxU.Text + "' ,address = '" + uF.addressTextBoxU.Text + "', dob= '" + uF.dobTextBoxU.Text + "', tel1= '" + uF.tel1TextBoxU.Text + "', tel2= '" + uF.tel2TextBoxU.Text + "' ,tel3= '" + uF.tel3TextBoxU.Text + "', email= '" + uF.emailTextBoxU.Text + "', commission= '" + uF.commTextBoxU.Text + "', total_commission= '" + uF.totalCommTextBoxU.Text + "', sick_leave= '" + uF.sickLTextBoxU.Text + "', annual_leave= '" + uF.annualLTextBoxU.Text + "', family_leave= '" + uF.familyLTextBoxU.Text + "', other_leave= '" + uF.otherLTextBoxU.Text + "',client_care_access='" + uF.clientCareChBox.Checked + "', sale_system_access='" + uF.StaffSystChBox.Checked + "', sale_system_access ='" + uF.SalesSystChBox.Checked + "', uploads_access='" + uF.UploadsChBox.Checked + "' WHERE surname= '" + uF.updatingVar + "';";
}
and here code for its call in the form im calling it with:
private void btnSearch_Click(object sender, EventArgs e)
{
updatingDatareadingClass.selectAndDisplay();
}
You are creating a new instance of the form and not using the original (Where the input value will be stored).
You could use the original textbox value textID.Text or ensure that your uF form is showing by doing:
uf.Show(); // This will then allow you to use `uF.textID.Text` correctly.
Also you should read up on SQL Injection as your form is injectable, for instance a user could enter their name as test or 1 = 1 which would allow then access to your application or even worse, DROP TABLE mydb.employees; which would delete your entire employees table.
why i'm getting this error Must declare the scalar variable "#param2". for my code
string query = "INSERT INTO cdr_info VALUES(#param2,'" + Values[1] + "' , '" + Values[2] + "', '" + Values[3] + "', '" + Values[5] + "', '" + Values[7] + "', '" + Values[8] + "', '" + Values[9] + "'," + " '" + Values[10] + "', '" + Values[12] + "', '" + Values[13] + "', '" + Values[14] + "', '" + Values[17] + "', '" + Values[21] + "', '" + Values[23] + "', '" + Values[24] + "', '" + Values[25] + "','" + Values[26] + "', '" + Values[27] + "', '" + Values[28] + "', '" + Values[29] + "', " + " '" + Values[30] + "', '" + Values[31] + "', '" + Values[32] + "', '" + Values[34] + "'," + "'" + Values[35] + "', '" + Values[37] + "', '" + Values[38] + "','" + Values[39] + "', '" + Values[40] + "', '" + Values[41] + "','" + Values[45] + "', '" + Values[46] + "', '" + Values[47] + "', '" + Values[48] + "'," + " '" + Values[52] + "', '" + Values[53] + "', '" + Values[55] + "', '" + Values[59] + "', '" + Values[64] + "'," + "'" + Values[71] + "', '" + Values[75] + "', '" + Values[85] + "', '" + Values[93] + "', '" + Values[94] + "', '" + Values[95] + "', '" + Values[96] + "', '" + Values[97] + "', '" + Values[98] + "', '" + Values[105] + "', '" + Values[106] + "')";
cmd.Parameters.AddWithValue("#param2",Values[0]);
cmd = new SqlCommand(query, con);
cmd.ExecuteNonQuery();
Because you reassign the command after you added the parameter to it.
Try putting the instructions in this order:
cmd = new SqlCommand(query, con);
cmd.Parameters.AddWithValue("#param2",Values[0]);
Not perfect but to give you a good idea...
var sqlString = new StringBuilder();
sqlString.Append("INSERT INTO cdr_info VALUES(#param2,'");
sqlString.Append("Values[1] + "' , '" + Values[2] + "', '" + Values[3] + "', '" + Values[5] + "', '" + Values[7] + "', '" + Values[8] + "', '" + Values[9] + "',");
sqlString.Append("" '" + Values[10] + "', '" + Values[12] + "', '" + Values[13] + "', '" + Values[14] + "', '" + Values[17] + "', '" + Values[21] + "', '" + Values[23] + "', '"");
sqlString.Append("Values[24] + "', '" + Values[25] + "','" + Values[26] + "', '" + Values[27] + "', '" + Values[28] + "', '"");
sqlString.Append("Values[29] + "', " + " '" + Values[30] + "', '" + Values[31] + "', '" + Values[32] + "', '" + Values[34] + "'," + "'" + Values[35]");
sqlString.Append("Values[35] + "', '" + Values[37] + "', '" + Values[38] + "','" + Values[39] + "', '" + Values[40] + "', '" + Values[41] + "','" + Values[45] + "', '" + Values[46] + "', '" + Values[47] + "', '" + Values[48] + "'," + " '" + Values[52]);
sqlString.Append(""', '" + Values[53] + "', '" + Values[55] + "', '" + Values[59] + "', '" + Values[64]")
sqlString.Append("'," + "'" + Values[71] + "', '" + Values[75] + "', '" + Values[85] + "', '" + Values[93] + "', '" + Values[94] + "', '" + Values[95] + "', '" + Values[96])
sqlString.Append(""', '" + Values[97] + "', '" + Values[98] + "', '" + Values[105] + "', '" + Values[106] + "')""");
cmd = new SqlCommand(sqlString , con);
cmd.Parameters.AddWithValue("#param2",Values[0]);
cmd.ExecuteNonQuery()
Honestly though I find it hard to believe theres not a better way to do this.
PS- Whats all the white spaces for?
"Values[29] + "', " + " '" + Values[30]