0

I have a table named "Members" in my database.

In a form, I have some Labels, TextBoxes, a DataGridView and a few Buttons.

When I click a row in the DataGridView, the whole data appears in the corresponding TextBox correctly.

I have added an "Update" button - which, when clicked I want the database table information to update instantly.

I have written the following code on "Update" button click event. But it shows me error continuously. Please help. I badly need the solution.

string Query = "UPDATE Members SET MemberID='" + MemberIDTextBox.Text + "'|| Name='" + NameTextBox.Text + "'|| Gender='" + GenderComboBox.Text + "'|| Address='" + AddressTextBox.Text + "'|| NID='" + NationalIDTextBox.Text + "'|| DOB='" + DOBTimePicker.Text + "'|| BloodGroup='" + BloodGroupTextBox.Text + "'|| Height='" + HeightTextBox.Text + "'|| Weight='" + WeightTextBox.Text + "'|| ChestSize='" + ChestSizeTextBox.Text + "'|| MusclesSize='" + MusclesSizeTextBox.Text + "'|| AbsPack='" + AbsPackTextBox.Text + "'|| Profession='" + ProfessionTextBox.Text + "'|| Contact='" + ContactTextBox.Text + "' WHERE MemberID='" + MemberIDTextBox.Text + "'";


SqlCommand Command = new SqlCommand(Query, Connection);
Command.ExecuteNonQuery();
Improve this question
9
  • What error message are you getting? Commented Jul 26, 2016 at 18:05
  • I believe you want to use a data adapter as the binding source of your grid. Then in your update button you have a command like DataAdapter.SaveChanges(). I have not done this in a while but I remember there were plenty of examples on the net. Commented Jul 26, 2016 at 18:05
  • 1
    What are the || symbols supposed to be? Commented Jul 26, 2016 at 18:07
  • I think it will do as "OR". Commented Jul 26, 2016 at 18:08
  • 1
    See this previous SO answer Paramterized Queries which has an example of an INSERT statement which you could convert to an UPDATE statement. It shows how to utilize a parameterized query with best practice hints. Commented Jul 26, 2016 at 18:09

2 Answers 2

Reset to default
2

Using a parameterized query:

SqlCommand cmd = new SqlCommand("update Members set Name=@Name, Gender=@Gender, Address=@Address, NID=@NID, DOB=@DOB, BloodGroup=@BloodGroup, Height=@Height, Weight=@Weight, ChestSize=@ChestSize, MusclesSizes=@MusclesSizes, AbsPack=@AbsPack, Profession=@Profession, Contact=@Contact" + " where MemberID=@MemberID", Connection);
cmd.Parameters.AddWithValue("@MemberID", MemberIDTextBox.Text);
cmd.Parameters.AddWithValue("@Name", NameTextBox.Text);
// ...
//Keep adding parameters
cmd.ExecuteNonQuery();
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Its not working still. It says that "SqlException was unhandled"
If MemberID is your primary key, you can't update it. I've edited the code
And btw, start trying with a few parameters until you have fixed the error: SqlCommand cmd = new SqlCommand("update Members set Name=@Name" + " where MemberID=@MemberID", Connection);
Yes.. I did exactly like this but still its not working and says that "SqlException was unhandled"
You need to look at the InnerException or Message property of the SqlException.
|
1

Solution: Change the double-pipe (||) characters to comma (,)

Like so: 

string Query = "UPDATE Members SET MemberID='" + MemberIDTextBox.Text + "',  Name='" + NameTextBox.Text + "',  Gender='" + GenderComboBox.Text + "',  Address='" + AddressTextBox.Text + "',  NID='" + NationalIDTextBox.Text + "',  DOB='" + DOBTimePicker.Text + "',  BloodGroup='" + BloodGroupTextBox.Text + "',  Height='" + HeightTextBox.Text + "',  Weight='" + WeightTextBox.Text + "',  ChestSize='" + ChestSizeTextBox.Text + "',  MusclesSize='" + MusclesSizeTextBox.Text + "',  AbsPack='" + AbsPackTextBox.Text + "',  Profession='" + ProfessionTextBox.Text + "',  Contact='" + ContactTextBox.Text + "' WHERE MemberID='" + MemberIDTextBox.Text + "'";

But you should really consider a parameterized query. You're just ASKING for a SQL Injection attack with your current implementation.

How do I use parameterized queries?

There's already a well-explained answer here, on StackOverflow, that gives good examples of how to use parameterized queries in your code.

What is SQL Injection?

It is where piece of SQL code is essentially exposed through simple string concatenation - mostly from user input (text fields etc.) as in your OP.

If a malicious "query" is input into said field, the potential injector could cause severe issues, and cause a lot of damage, access/edit parts of the database they're not meant to etc.

It is not only a pet hate for most of the world's programmers when other developers expose their code to SQL Injection, it's a real-world problem that can do (and has) destroyed businesses.

SQL Injection attacks are virtually "blind", however they can be very desctructive.

Some useful resources

Improve this answer

9 Comments

... and if MemberID (or anything else) is numeric, don't put single quote around the value. And if it is an identity field you cannot update it.
Which is another reason to use parameterized queries - you don't have to deal with what needs to be quoted or not.
Yes sir, I've replaced all double-pipe with comma. But still it gives me error. Its not working. :-(
It would have helped quite a bit if you posted the error message you're getting.
@pinGOL, you have to provide the error when you say you have an error. I assume it it because MemberID is a primary key and you cannot update it. Remove MemberID from the query. I suggest you update your question to show what you have now tried and what error you are getting.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.