Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Jan 09, 2010 07:50 PM by Mikesdotnetting
Jan 09, 2010 06:37 PM|LINK
Hi i am trying to update the database for a simple bank project. I am updating the current balance of an account. What i did was read the current balance first then add the deposited amount and then trying to update it to the database.
here is the code
protected void Button1_Click(object sender, EventArgs e)
SqlConnection newSqlConnection = new SqlConnection();
newSqlConnection.ConnectionString = ConfigurationManager.ConnectionStrings["AccountsConnectionString1"].ToString();
SqlCommand myCommand = newSqlConnection.CreateCommand();
SqlCommand myCommand1 = newSqlConnection.CreateCommand();
myCommand.CommandText = "SELECT currentBalance from currentBalances where accountNumber = " + "'" + accountNumberTextBox.Text + "'" + "AND accountType =" + "'" + accountTypeButton.SelectedItem.ToString() + "'";
SqlDataReader myReader = myCommand.ExecuteReader();
String currentbalance = " ";
currentbalance = myReader["currentBalance"].ToString();
int cb = Convert.ToInt32(currentbalance);
int textboxamount = Convert.ToInt32(depositAmountTextBox.Text;
cb = cb + textboxamount;
currentbalance = cb.ToString();
myCommand1.CommandText = "UPDATE currentBalances set currentBalance =" + currentbalance + "where accountNumber = " + "'" + accountNumberTextBox.Text + "'" + "AND accountType =" + "'" + accountTypeButton.SelectedItem.ToString() + "'" ;
int rowsAffected = 0;
rowsAffected = myCommand1.ExecuteNonQuery();
if (rowsAffected > 0)
I also did the debugging and found the value of the current balance is exactly what i have expected, but I do not see the new value in the database. Am I missing anything obvious??
Please let me know
Jan 09, 2010 06:51 PM|LINK
That's pretty hideous with all that string concatenation going on. I suggest you first start with changing over to use parameters:
http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET, and then check that the value of
all the parameters are as you expect them to be.
Jan 09, 2010 07:08 PM|LINK
great article about injection attacks. Thanks for that.
How can i use the parameters to update the table. Obviously insert would work. But for update statement, can we use this technique
Jan 09, 2010 07:44 PM|LINK
Is your Condition criteria meeting correct in the database?
Use trim with textbox value as
this will remove spaces in the textbox
also you have provide accountTypeButton.SelectedItem.ToString(), this will put display text in query; you have to use accountTypeButton.SelectedValue
this will put Value related to the selected text.
Jan 09, 2010 07:47 PM|LINK
Thanks a lot for mike for that article. I change my code to parameterized queries and guess what it worked..
newSqlDataSource.UpdateCommand = "UPDATE currentBalances set currentBalance = @currentbalance where accountNumber = @accountNumber";
sweet and simple
Jan 09, 2010 07:50 PM|LINK
I change my code to parameterized queries and guess what it worked
Excellent. Another convert.