can any one please help. I have a table with three fields a field Amount, LatestUpdate and Note, I want to update the three fields using parameters to avoid any sql injection. I need help on writing them the correct way using parameter.Add().
here is the code.
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = convert(nvarchar(4000),#notes) + '. " + item.notes + "' WHERE ID=1";
com.Parameters.Add("#amount", item.amount.ToString());
com.Parameters.Add("#latestUpdate", item.fuelingDate.ToString());
com.Parameters.Add("#notes", item.notes.ToString());
You're nearly there.. You want something like
com.Parameters.Add("#amount", SqlDbType.Int).Value = item.amount;;
com.Parameters.Add("#latestUpdate", SqlDbType.DateTime).Value = item.fuelingDate;;
com.Parameters.Add("#notes", SqlDbType.NVarChar).Value = item.notes;
Don't forget to include using System.Data;
You need to add parameters along with the SqlDBType. Do not use the AddWithValue method because several article mention that it is not very safe. I would use the following:
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = #notes WHERE ID=1";
SqlParameter parameter = new SqlParameter("#amount", System.Data.SqlDbType.Int);
parameter.Value = item.amount;
com.Parameters.Add(parameter);
parameter = new SqlParameter("#latestUpdate", System.Data.SqlDbType.DateTime);
parameter.Value = item.fuelingDate;
com.Parameters.Add(parameter);
parameter = new SqlParameter("#notes", System.Data.SqlDbType.NVarChar);
parameter.Value = item.notes;
com.Parameters.Add(parameter);
--UPDATE--
To update the notes instead of overwriting, just change the commandText:
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = Notes + #notes WHERE ID=1";
this is the final code that works, I am sharing it in case anyone else needs it. Thank you all for your help.
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = convert(nvarchar(4000),Notes) + '.' + #notes WHERE ID=1";
com.Parameters.Add("#amount", SqlDbType.Int).Value = item.amount; ;
com.Parameters.Add("#latestUpdate", SqlDbType.DateTime).Value = item.fuelingDate; ;
com.Parameters.Add("#notes", SqlDbType.NVarChar).Value = item.notes;
are you looking for this ?
com.CommandText = "update tblStore set Amount=Amount + #amount,
LatestUpdate=#latestUpdate, Notes = convert(nvarchar(4000),#notes) + '. " +
item.notes + "' WHERE ID=1";
com.Parameters.AddWithValue("#amount", item.amount.ToString());
com.Parameters.AddWithValue("#latestUpdate", item.fuelingDate.ToString());
com.Parameters.AddWithValue("#notes", item.notes.ToString());
Related
I am working on a C# project. I have created a dataset by use of sql server and I tried to show the data in DataGridView table. Then I added a button to change the selected data. when I use English language for editing the data, it works perfectly. But when I change the language, question mark is shown.
to edit the data I use the following commands.
sqlStr = "Update Employee Set FirstName = '" + FirstName.Text + "' Where ID = '" + ID.Text + "'";
cmd.CommandText = sqlStr;
cmd.Connection = connect;
cmd.ExecuteNonQuery();
any help is appreciated.
thanks
Change:
sqlStr = "Update Employee Set FirstName = '" + FirstName.Text + "' Where ID = '" + ID.Text + "'";
to:
sqlStr = "Update Employee Set FirstName = N'" + FirstName.Text + "' Where ID = N'" + ID.Text + "'";
Without the N at the start, you are using varchar rather than nvarchar. Which basically means that Persian characters will show as ?
I think you should use SqlParameters like this:
sqlStr = "Update Employee Set FirstName = #FirstName Where ID = #Id";
SqlParameter param = new SqlParameter();
param.ParameterName = "#FirstName";
param.Value = FirstName.Text;
cmd.Parameters.Add(param);
param = new SqlParameter();
param.ParameterName = "#Id";
param.Value = ID.Text;
cmd.Parameters.Add(param);
This, also, avoid sql injection.
How do i update the Yes/No Field Select Column using c#?
Here's my table 1 and table 2:
Here is my code:
connection.Open();
OleDbCommand command = new OleDbCommand("update [Table1] set [Select] = #Select, [DocumentName] = #DN where [Table1ID] = " + txtTable1ID.Text + " ", connection);
command.Parameters.AddWithValue("#Select", checkBox1.Checked);
command.Parameters.AddWithValue("#DN", "Form 137");
command.ExecuteNonQuery();
command.Parameters.Clear();
command.Parameters.AddWithValue("#Select", checkBox2.Checked);
command.Parameters.AddWithValue("#Name", "Good Moral");
command.ExecuteNonQuery();
command.Parameters.Clear();
command.Parameters.AddWithValue("#Select", checkBox3.Checked);
command.Parameters.AddWithValue("#Name", "Transcript of Record");
command.ExecuteNonQuery();
connection.Close()
The output with this code:
You miss a comma:
"update [Table1] set [Select] = #Select, [DocumentName] = #DN where [Table1ID] = " + txtTable1ID.Text + ""
Please be aware that your code is vulnerable to SQL Injection attacks.
You should never concatenate SQL like this: [Table1ID] = " + txtTable1ID.Text + " ".
Instead use parametised SQL, like you've done for other bits, such as the "#Select" parameter.
(Sorry, not enough rep to post this as a comment)
I have a winform and a textbox which will pass the value to a prepared statement like this
searchKey = "member_chinese_name";
field_name = "member_chinese_name";
daoQuery = "SELECT * FROM member where member_chinese_name like #" + searchKey;
sqlCmd = new MySqlCommand(daoQuery, databaseConnection);
MessageBox.Show(field_name + " " + field_value1);
sqlCmd.Parameters.Add(new MySqlParameter("#"+field_name , field_value1 + "%"));
sqlCmd.CommandTimeout = 60;
sqlCmd.ExecuteNonQuery();
adapter.SelectCommand = sqlCmd;
adapter.Fill(ds);
the whole query is (select * from member where member_chinese_name like 中文字%;)
the query has no result run in my winform, but i run the sql in phpmyadmin (select * from member where member_chinese_name like '中文字%') is valid
Anyone know what is the problem?
Remarks (search english is ok)
The problem might be the parameter you are sending for the search. It should be #searchKey instead of #" + searchKey; and you can also choose sqlCmd.Parameters.AddWithValue instead of sqlCmd.Parameters.Add(new MySqlParameter thus code would look like
searchKey = "member_chinese_name";
field_name = "member_chinese_name";
daoQuery = "SELECT * FROM member where member_chinese_name like #sKey";
sqlCmd = new MySqlCommand(daoQuery, databaseConnection);
MessageBox.Show(field_name + " " + field_value1);
//not sure which variable stores 中文字
sqlCmd.Parameters.AddWithValue("#sKey", field_value1+"%");
I am using SQL query to with SELECT SCOPE_IDENTITY() in sqlcommand. here is my code:
SqlCommand cmd = new SqlCommand("INSERT INTO tbl_Supplier(Supplier_Name,Supplier_Address, Supplier_PhoneNo,Supplier_City,Supplier_Remarks) VALUES('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "','"+DropDownList1.SelectedItem+"','"+TextBox4.Text+"') RETURN SCOPE_IDENTITY()", conn);
var id = cmd.ExecuteScalar();
conn.Close();
but the code is always returning 1?
You are using the wrong syntax to get that info.
"...; SELECT SCOPE_IDENTITY()"
(Notice also the semicolon before the SELECT and after the end of the first sql statement)
At this point the ExecuteScalar is able to get the first column of the first row returned by the SELECT
Said that, please take a bit of your time to learn how to execute "Parameterized Queries" your code is very weak and an easy target for Sql Injection
string cmdText = #"INSERT INTO tbl_Supplier
(Supplier_Name,
Supplier_Address,
Supplier_PhoneNo,
Supplier_City,
Supplier_Remarks)
VALUES(#name, #address, #phone, #city, #remarks);
SELECT SCOPE_IDENTITY()"
using(SqlCommand cmd = new SqlCommand(cmdText, connection))
{
connection.Open();
cmd.Parameters.Add("#name", SqlDbType.NVarWChar).Value = TextBox1.Text;
cmd.Parameters.Add("#address", SqlDbType.NVarWChar).Value = TextBox2.Text;
cmd.Parameters.Add("#phone", SqlDbType.NVarWChar).Value = TextBox3.Text;
cmd.Parameters.Add("#city", SqlDbType.NVarWChar).Value = DropDownList1.SelectedItem
cmd.Parameters.Add("#remarks", SqlDbType.NVarWChar).Value = TextBox4.Text;
var id = cmd.ExecuteScalar();
}
conn.Close();
hello guys i have problem with running update query from Microsoft access 2013 i just want to update client table with client id and name and phone i cant get the data to be update always error in syntax
string I = "UPDATE client SET client.ID =" + ID.Text + " ,client.Name =" + Name.Text + " ,client.Phone = " + Phone.Text + " WHERE client.ID="+ ID.Text +"";
command.CommandText = I;
command.CommandType = CommandType.Text;
connection.Open();
command.ExecuteNonQuery();
You need to use a parameterized query, like this:
string I = "UPDATE client SET client.Name = ?, client.Phone = ? WHERE client.ID = ?";
command.CommandText = I;
command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("?", Name.Text);
command.Parameters.AddWithValue("?", Phone.Text);
command.Parameters.AddWithValue("?", ID.Text);
connection.Open();
command.ExecuteNonQuery();
Note that it makes no sense to "SET" client.ID since it is not going to change.