I'm trying to modify my code by placing the SQL connections and queries into a C# class because currently all my .aspx.cs has connection strings with different types of queries with parameters
Like this:
string CS2 = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
using (SqlConnection con2 = new SqlConnection(CS2))
{
SqlCommand cmd2 = new SqlCommand("SELECT nombre FROM [Portal_B2e].[dbo].[usuarios] WHERE numero_personal = " + lblCedula.Text + "", con2);
con2.Open();
object labels = cmd2.ExecuteScalar();
lblNombre.Text = labels.ToString();
}
As you notice I complete the query with lblCedula.Text so when I try to do this from a C# class it says lblCedula does not exist in this content.
How could I make a reference to the label I have in another page from the class?
This is my code in the C# class
public static List<Perfil> DeletePerfil()
{
List<Perfil> listDelete = new List<Perfil>();
string CS = ConfigurationManager.ConnectionStrings["DBCSATE"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
SqlCommand cmd = new SqlCommand("SELECT nombre FROM [Portal_B2e].[dbo].[usuarios] WHERE numero_personal = " + lblCedula.Text + "", con);
con.Open();
SqlDataReader rdr = cmd.ExecuteReader();
while (rdr.Read())
{
Perfil perfil1 = new Perfil();
perfil1.perfil = Convert.ToInt32(rdr["perfil"]);
perfil1.descripcion = rdr["descripcion"].ToString();
listDelete.Add(perfil1);
}
}
return listDelete;
}
You can hand over the string by a method parameter.
Also please mention the use of the SqlParameter. It will prevent your Query from SQL Injection
public static List<Perfil> DeletePerfil(string numeroPersonal)
{
using (SqlConnection con = new SqlConnection(CS))
{
SqlCommand cmd = new SqlCommand("SELECT nombre FROM [Portal_B2e].[dbo].[usuarios] WHERE numero_personal = #PersNo", con);
SqlParameter param = new SqlParameter();
param.ParameterName = "#PersNo";
param.Value = numeroPersonal;
cmd.Parameters.Add(param);
...
}
}
Like others have said, pass in lblCedula.Text as a string parameter to your DeletePerfil method:
public static List<Perfil> DeletePerfil(string numeroPersonal)
...
Then your call looks like this:
...
var deletedProfiles = YourClass.DeletePerfil(lblCedula.Text);
...
And like sstan's comment mentioned, make sure you use SQLParameters instead of using string concatenation to avoid a SQL Injection security hole.
Related
I am trying to store sql data that I have for a voucher id and voucher amount into a variable and display it into a label on a click of a button.
protected void Button1_Click(object sender, EventArgs e)
{
string voucherId = String.Empty;
string voucherAmount = String.Empty;
string queryVoucherId = "select voucherid from ReturnForm where email = '" + Session["username"] + "';";
string queryVoucherAmount = "select voucheramount from ReturnForm where email = '" + Session["username"] + "';";
int index = 0;
using (SqlConnection con = new SqlConnection(str))
{
SqlCommand cmd = new SqlCommand(queryVoucherId, con);
con.Open();
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
voucherId = reader[index].ToString();
index++;
}
}
using (SqlConnection con = new SqlConnection(str))
{
SqlCommand cmd = new SqlCommand(queryVoucherAmount, con);
con.Open();
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
voucherAmount = reader[index].ToString();
index++;
}
}
if (txtVoucher.Text == voucherId)
{
Label3.Visible = true;
Label3.Text = voucherAmount;
}
}
When I click the button its giving me an error saying that the index is out of bounds.
Building on #JSGarcia's answer - but using parameters as one ALWAYS should - you'd get this code:
string email = Session['username'];
string query = $"SELECT voucherid, voucheramount FROM ReturnFrom WHERE Email = #email";
DataTable dt = new DataTable();
using (SqlConnection conn = new SqlConnection(connectionString))
using (SqlCommand cmd = new SqlCommand(query, conn))
using (SqlDataAdapter sda = new SqlDataAdapter(cmd))
{
// set the parameter before opening connection
// this also defines the type and length of parameter - just a guess here, might need to change this
cmd.Parameters.Add("#email", SqlDbType.VarChar, 100).Value = email;
conn.Open();
sda.Fill(dt);
conn.Close();
}
Personally, I'd rather use a data class like
public class VoucherData
{
public int Id { get; set; }
public Decimal Amount { get; set; }
}
and then get back a List<VoucherData> from your SQL query (using e.g. Dapper):
string query = $"SELECT Id, Amount FROM ReturnFrom WHERE Email = #email";
List<VoucherData> vouchers = conn.Query<VoucherData>(query).ToList();
I'd try to avoid the rather clunky and not very easy to use DataTable construct...
I strongly recommend combining your sql queries into a single one, write it into a datatable and continue your logic from there. IMHO it is much cleaner code:
string email = Session['username'];
string query = $"SELECT voucherid, voucheramount FROM ReturnFrom where Email = '{email}'";
DataTable dt = new DataTable();
using (SqlConnection conn = new SqlConnection(connectionString))
using (SqlCommand cmd = conn.CreateCommand())
using (SqlDataAdapter sda = new SqlDataAdapter(cmd))
{
cmd.CommandText = query;
cmd.CommandType = CommandType.Text;
conn.Open();
sda.Fill(dt);
conn.Close();
}
// Work with DataTable dt from here on
...
Well, one more big tip?
You ONLY as a general rule need a dataadaptor if you going to update the data table.
And you ONLY need a new connection object if you say not using the sql command object.
The sqlcommand object has:
a connection object - no need to create a separate one
a reader - no need to create a separate one.
Note how I did NOT create a seperate connection object, but used the one built into the command object.
And since the parameter is the SAME in both cases? Then why not re-use that too!!
So, we get this:
void TestFun2()
{
String str = "some conneciton???";
DataTable rstVouch = new DataTable();
using (SqlCommand cmdSQL =
new SqlCommand("select voucherid from ReturnForm where email = #email",
new SqlConnection(str)))
{
cmdSQL.Parameters.Add("#email", SqlDbType.NVarChar).Value = Session["username"];
cmdSQL.Connection.Open();
rstVouch.Load(cmdSQL.ExecuteReader());
// now get vouch amount
cmdSQL.CommandText = "select voucheramount from ReturnForm where email = #email";
DataTable rstVouchAmount = new DataTable();
rstVouchAmount.Load(cmdSQL.ExecuteReader());
if (rstVouch.Rows[0]["vourcherid"].ToString() == txtVoucher.Text)
{
Label3.Visible = true;
Label3.Text = rstVouchAmount.Rows[0]["voucheramount"].ToString();
}
}
}
I can't extract the values through a query and insert them into textboxes
Where am I going wrong?
Request.QueryString.Get("ID_Persona");
string query = "SELECT ID,Nome,Cognome,Email,CodiceFiscale FROM Persona WHERE ID = #id";
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["dbConnection"].ConnectionString))
{
SqlCommand cmd = new SqlCommand(query, con);
cmd.Parameters.AddWithValue("#ID","");
cmd.Parameters.AddWithValue("#Nome", TextBox1.Text);
cmd.Parameters.AddWithValue("#Cognome", TextBox15.Text);
cmd.Parameters.AddWithValue("#Email", TextBox20.Text);
cmd.Parameters.AddWithValue("#CodiceFiscale", TextBox22.Text);
con.Open();
cmd.ExecuteNonQuery();
}
You need to use ExecuteReader to read values, something like this:
var connectionString = ConfigurationManager.ConnectionStrings["dbConnection"].ConnectionString;
string query = "SELECT ID,Nome,Cognome,Email,CodiceFiscale FROM Persona WHERE ID = #id";
using (SqlConnection con = new SqlConnection(connectionString))
{
using (var cmd = new SqlCommand(query, con))
{
cmd.Parameters.AddWithValue("#ID", Request.QueryString.Get("ID_Persona"));
con.Open();
using (var rdr = cmd.ExecuteReader())
{
if (rdr.Read())
{
//IDTextBox? = rdr["Id"].ToString(),
TextBox1.Text = rdr["Nome"].ToString(),
TextBox15.Text = rdr["Cognome"].ToString(),
TextBox20.Text= rdr["Email"].ToString(),
TextBox22.Text= rdr["CodiceFiscale"].ToString(),
}
}
}
}
You should use a ExecuteReader() instead of ExecuteNonQuery() since ExecuteNonQuery is meant for DML operations. Again, you need only the ID value to be passed then why you are passing unnecessary parameters to your query. Remove them all. An example below
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
Console.WriteLine(String.Format("{0}", reader["Email"]));
}
I can see several issues:
You should use ExecuteReader() instead of ExecuteNonQuery()
You should provide just 1 parameter - #ID; I doubt if it should have an empty value.
You should wrap IDisposable into using
Code:
string query =
#"SELECT ID,
Nome,
Cognome,
Email,
CodiceFiscale
FROM Persona
WHERE ID = #id";
using (SqlConnection con = new SqlConnection(...))
{
con.Open();
using SqlCommand cmd = new SqlCommand(query, con)
{
// I doubt if you want empty Id here.
// I've assumed you want to pass ID_Persona
cmd.Parameters.AddWithValue("#ID", Request.QueryString.Get("ID_Persona"));
using (var reader = cmd.ExecuteReader())
{
if (reader.Read())
{
TextBox1.Text = Convert.ToString(reader["Nome"]);
TextBox15.Text = Convert.ToString(reader["Cognome"]);
TextBox20.Text = Convert.ToString(reader["Email"]);
TextBox22.Text = Convert.ToString(reader["CodiceFiscale"]);
}
}
}
}
I have a table TümEnvanter$ which has 2 columns equipment code (Ekipman) and their description (Tanım).
User chooses the equipment from the combo box, and I want the description of the chosen equipment to appear in the label at the time they choose from combobox.
Here is what I tried:
SqlCommand cmdTanim = new SqlCommand("select Tanım from TümEnvanter$ where Ekipman = '" + comboBox_ekipman.Text + "'", connect);
connect.Open();
SqlDataReader reader = cmdTanim.ExecuteReader();
string tanim = reader.ToString();
labelTanim.Text = "Ekipman Tanımı: "+tanim+" ";
When I use this code, I get in the label:
Ekipman Tanımı: System.Data.SqlClient.SqlDataReader
How can I fix this? Thank you.
If you only expect a single value, then ExecuteScalar is much simpler than using a reader, i.e.
labelTanim.Text = Convert.ToString(cmdTanim.ExecuteScalar());
In general, perhaps consider tools like "Dapper" which would make this simple even in multi-row cases and solve the SQL injection problem trivially:
string s = connect.QuerySingle<string>(
"select Tanım from TümEnvanter$ where Ekipman = #val", // command
new { val = comboBox_ekipman.Text }); // parameters
You should try this code, it gathers some good practices, such as:
1) Uses using statement to release unamnaged resources (SQL connections, IDisposables in general).
2) Prevents from SQL injection using Parameters field of SqlCommand object.
Also, I used ExecuteScalar method, mentioned by #MarcGravell, which simplifies the code.
public void SqlConn()
{
string tanim = null;
using (SqlConnection connect = new SqlConnection("connectionString"))
{
using (SqlCommand cmdTanim = new SqlCommand())
{
cmdTanim.Connection = connect;
cmdTanim.CommandText = "select Tanım from TümEnvanter$ where Ekipman = #param";
cmdTanim.Parameters.Add("#param", SqlDbType.VarChar).Value = comboBox_ekipman.Text;
connect.Open();
tanim = (string)cmdTanim.ExecuteScalar();
}
}
labelTanim.Text = "Ekipman Tanımı: " + tanim + " ";
}
Something like this:
// wrap IDisposable into using
using (SqlConnection connect = new SqlConnection("Put_Connection_String_Here"))
{
connect.Open();
// Make SQL readable and parametrized
string sql =
#"select Tanım
from TümEnvanter$
where Ekipman = #prm_Ekipman";
// wrap IDisposable into using
using (SqlCommand cmdTanim = new SqlCommand(sql, connect))
{
//TODO: explicit typing Add(..., DbType...) is a better choice then AddWithValue
cmdTanim.Parameters.AddWithValue("#prm_Ekipman", comboBox_ekipman.Text);
// We want one record only; ExecuteScalar() instead of ExecuteReader()
// String interpolation shortens the code
labelTanim.Text = $"Ekipman Tanımı: {cmdTanim.ExecuteScalar()} ";
}
}
Use this code instead by using the reader() method of SqlDataReader to read and access the contents of the SqlDataReader.
SqlCommand cmdTanim = new SqlCommand("select Tanım from TümEnvanter$ where Ekipman = '" + comboBox_ekipman.Text + "'", connect);
connect.Open();
SqlDataReader reader = cmdTanim.ExecuteReader();
if(reader.HasRows){
reader.read();
string tanim = reader.ToString();
labelTanim.Text = "Ekipman Tanımı: "+tanim+" ";
}
Hope this code snippet works for you.
Use below code :
SqlCommand cmdTanim = new SqlCommand("select Tanım from TümEnvanter$ where Ekipman = '" + comboBox_ekipman.Text + "'", connect);
connect.Open();
SqlDataReader reader = cmdTanim.ExecuteReader();
string tanim = string.Empty;
while (reader.Read())
{
tanim= reader["Tanım"].ToString()
}
labelTanim.Text = "Ekipman Tanımı: "+tanim+" ";
I am trying to create a parameter for all those values that is mentioned below in the code itself.
Any help would be appreciated!
This is what I did:
public static void Main()
{
{
string testEnv = ClaimQuery.ClaimQueryhelper.getTestEnv();
// calls claimQueryhelper for the test environment
var connectionString = ClaimQuery.ClaimQueryhelper.getConnection(testEnv);
// if we are not calling helper then the environment is hard coded
//string connectionString = ConfigurationManager.ConnectionStrings["aitf"].ConnectionString;
//ConsoleWindows.Properties.Settings.Default.ConnectionString;
using (SqlConnection con = connectionString)
{
///Sql to get the data from the Dbase
string sql = "SELECT TOP 3 claim.CLCL_MICRO_ID,cdml.LOBD_ID,cdml.IDCD_ID,CLMD_TYPE, " +
"* FROM CMC_CLCL_CLAIM claim INNER JOIN CMC_CDML_CL_LINE cdml ON claim.CLCL_ID = cdml.CLCL_ID" +
" INNER JOIN CMC_CLMD_DIAG clmd ON claim.CLCL_ID = clmd.CLCL_ID WHERE CLCL_CUR_STS =#CLCL_CUR_STS AND #CLCL_CL_SUB_TYPE AND #CLCL_RECD_DT and #CLMD_TYPE ";
//connecting to the Sql server
using (SqlCommand command = new SqlCommand(sql, con))
//Reading the Sql database
using (SqlDataReader reader = command.ExecuteReader())
{
command.Parameters.Add(
new[]
{
new SqlParameter(#"CLCL_CUR_STS", SqlDbType.Int).Value = "01",
new SqlParameter(#"CLCL_CL_SUB_TYPE", SqlDbType.VarChar).Value = "M",
new SqlParameter(#"CLMD_TYPE", SqlDbType.VarChar).Value = "01",
new SqlParameter(#"CLCL_RECD_DT", SqlDbType.DateTime).Value = "2017-02-03 00:00:00.000",
});
The parameter values for SqlCommand query string (i.e. array of SqlParameter) must be iterated & assigned to the command before DataReader opens by using ExecuteReader. See this example below:
using (SqlConnection con = new SqlConnection(connectionString))
{
// SQL query to get the data from the database
string sql = #"[query string here]";
con.Open();
// connecting to the SQL Server
using (SqlCommand command = new SqlCommand(sql, con))
{
SqlParameter[] parameters = new[]
{
new SqlParameter(#"CLCL_CUR_STS", SqlDbType.Int).Value = "01",
new SqlParameter(#"CLCL_CL_SUB_TYPE", SqlDbType.VarChar).Value = "M",
new SqlParameter(#"CLMD_TYPE", SqlDbType.VarChar).Value = "01",
new SqlParameter(#"CLCL_RECD_DT", SqlDbType.DateTime).Value = "2017-02-03 00:00:00.000",
};
foreach (SqlParameter sqlParam in parameters)
{
command.Parameters.Add(sqlParam);
}
// Reading the SQL database
using (SqlDataReader reader = command.ExecuteReader())
{
// fetch retrieved data
}
}
// other stuff
con.Close();
}
Must declare the scalar variable error obviously means that one or more of provided query parameters are not declared during query statement execution (they're wrongly declared after the DataReader has already open).
I am trying to use If statement for two query. If query one = query 2
string select = "Select ProfileId from Project_list Where ProjectId = #ProjectId";
using (SqlConnection myConnection = new SqlConnection(connectionString))
{
myConnection.Open();
SqlCommand myCommand = new SqlCommand(select, myConnection);
myCommand.Parameters.AddWithValue("#ProjectId", querystring);
object Project_listResult = myCommand.ExecuteScalar();
}
string getProfileId = "SELECT ProfileId FROM User_Profile WHERE UserId = (#UserId)";
using (SqlConnection myConnection = new SqlConnection(connectionString))
{
myConnection.Open();
SqlCommand myCommand = new SqlCommand(getProfileId, myConnection);
myCommand.Parameters.AddWithValue("#UserId", currentUserId);
object User_profileResult= myCommand.ExecuteScalar();
}
if (Project_listResult == User_profileResult)
{
addFollowerButton.Visible = true;
}
This is the code I have so, but is not working.
Error 18 The name 'Project_listResult' does not exist in the current
Error 19 The name 'User_profileResult' does not exist in the current
You have to define both values outside, so that are in scope to use them. Right now you are define both values in using, so those are just under the scope of only under and not available outside that, so you are getting that error.
A simple suggestion is that avoid use of keywords those are part of different language, as you are using select as variable name. This help to increase readability and increase confusion.
Refer
object Project_listResult = null;
object User_profileResult = null;
using (SqlConnection myConnection = new SqlConnection(connectionString))
{
myConnection.Open();
SqlCommand myCommand = new SqlCommand(select, myConnection);
myCommand.Parameters.AddWithValue("#ProjectId", querystring);
Project_listResult = myCommand.ExecuteScalar();
}
string getProfileId = "SELECT ProfileId FROM User_Profile WHERE UserId = (#UserId)";
using (SqlConnection myConnection = new SqlConnection(connectionString))
{
myConnection.Open();
SqlCommand myCommand = new SqlCommand(getProfileId, myConnection);
myCommand.Parameters.AddWithValue("#UserId", currentUserId);
User_profileResult= myCommand.ExecuteScalar();
}
if (Project_listResult.Equals(User_profileResult))
{
addFollowerButton.Visible = true;
}
If I'm understand you you're trying to compare the objects. So you've got to try
if (Project_listResult.Equals(User_profileResult))
addFollowerButton.Visible = true;
http://msdn.microsoft.com/en-us/library/bsc2ak47(v=vs.110).aspx