locked
Updating records in textbox through sql RRS feed

  • Question

  • User1982845672 posted

     Hi!

    I have records displaying in the textbox which is fetched from database. If a update that records and when the update button is  pressed. the altered data should go and replace the existing data. Here is the code, Plz correct me if am wrong

    try
            {
                SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["constrname"].ConnectionString);
                conn.Open();
                string tempProf = Request.QueryString.Get("ID");
                SqlCommand com = new SqlCommand("UPDATE newuser SET [firstname] = '" + txt_upProfFN.Text + "' where ID= " + tempProf, conn);
                com.Parameters.Add(new SqlParameter("@firstname", txt_upProfFN.Text.ToString()));
                com.ExecuteNonQuery();
                Response.Write("Updated Successfully");
            }
            catch (Exception exc)
            {
               Response.Write(exc.Message.ToString());
            }
     

    Monday, March 16, 2009 5:59 AM

Answers

  • User-1557807525 posted

    This is just a update statement you don't have any parameter in the update command

      com.Parameters.Add(new SqlParameter("@firstname", txt_upProfFN.Text.ToString()));
    but you are trying to set value for the parameter.

    The best way is to using SQL Command With parameter query and pass the parameter with Value to avoid SQL Injection

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, March 16, 2009 7:11 AM

All replies

  • User191633014 posted

     try
            {
                SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["constrname"].ConnectionString);
               
                string tempProf = Request.QueryString.Get("ID");
                SqlCommand com = new SqlCommand("UPDATE newuser SET [firstname] =@firstname  where ID=@tempProf " , conn);
          

               com.Parameters.Add(new SqlParameter("@firstname", txt_upProfFN.Text));

               com.Parameters.Add(new SqlParameter("@tempProf ", tempProf ));

               conn.Open();  

               com.ExecuteNonQuery();

               conn.Close();
               Response.Write("Updated Successfully");
            }
            catch (Exception exc)
            {
               Response.Write(exc.Message.ToString());
            }

    Monday, March 16, 2009 7:08 AM
  • User-1557807525 posted

    This is just a update statement you don't have any parameter in the update command

      com.Parameters.Add(new SqlParameter("@firstname", txt_upProfFN.Text.ToString()));
    but you are trying to set value for the parameter.

    The best way is to using SQL Command With parameter query and pass the parameter with Value to avoid SQL Injection

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, March 16, 2009 7:11 AM
  • User-1944934663 posted

     You are directly passing the values... so no need of creating the parameters..

    just remove the parameter code: <strike>com.Parameters.Add(new SqlParameter("@firstname", txt_upProfFN.Text.ToString()));</strike>

    Monday, March 16, 2009 7:13 AM