Hello my friends, I need help regarding this table. When I add the first product, it appears for me in the data card view,

Question

1.00/5 (1 vote)

See more:

VB

Sub AddTOCart()
     Try
         If txtQuantity.Text = String.Empty Or txtQuantity.Text = "0" Then Return
         Dim CartDate As String = Now.ToString("yyyy/MM/dd")
         cn.Open()
         cm = New SqlCommand("insert into tblCart (CartInvoice,CartProduct,CartPrice,CartQuantity,CartDate,CartUser)values(@CartInvoice,@CartProduct,@CartPrice,@CartQuantity,@CartDate,@CartUser)", cn)
         With FormSales
             cm.Parameters.AddWithValue("CartInvoice", .lblInvoice.Text)
             cm.Parameters.AddWithValue("CartProduct", lblPID.Text)
             cm.Parameters.AddWithValue("CartPrice", CDbl(LblPrice.Text))
             cm.Parameters.AddWithValue("CartQuantity", CInt(txtQuantity.Text))
             cm.Parameters.AddWithValue("CartDate", CartDate)
             cm.Parameters.AddWithValue("CartUser", StrUser)
             cm.ExecuteNonQuery()
             cn.Close()
             cn.Open()
             cm = New SqlCommand("update tblCart set CartTotal = CartPrice * CartQuantity where CartInvoice like '" & .lblInvoice.Text & "'", cn)
             cm.ExecuteNonQuery()
             cn.Close()
             .txtSearch.Focus()
             .txtSearch.SelectionStart = 0
             .txtSearch.SelectionLength = .txtSearch.Text.Length
             .LoadCart()
         End With
         Me.Dispose()
     Catch ex As Exception
         cn.Close()
         MsgBox(ex.Message, vbCritical)
     End Try
 End Sub
*******
Sub LoadCart()
    Try
        Dim i As Integer = 0
        Dim total As Double = 0
        DataGridView1.Rows.Clear()
        cn.Open()
        cm = New SqlCommand("SELECT * FROM tblCart AS r INNER JOIN tblProduct AS p ON r.CartProduct = ProductID INNER JOIN tblGeneric AS g ON p.ProductGeneric = GenericID INNER JOIN tblBrand AS b ON p.ProductBrand = BrandID INNER JOIN tblFromulation AS f ON p.ProductFromulation = FromulationID INNER JOIN tblClassification AS c ON p.ProductClassification = ClassificationID INNER JOIN tblType AS t ON p.ProductType = TypeID where CartInvoice like '" & lblInvoice.Text & "'", cn)
        dr = cm.ExecuteReader
        With dr.Read
            i += 1
            DataGridView1.Rows.Add(i, dr.Item("CartID").ToString, dr.Item("CartInvoice").ToString, dr.Item("GenericName").ToString, dr.Item("BrandName").ToString, dr.Item("FromulationName").ToString, dr.Item("ClassificationName").ToString, dr.Item("TypeName").ToString, dr.Item("ProductSalePrice").ToString, dr.Item("CartQuantity").ToString, Format(CDate(dr.Item("ProductDate").ToString), "yyyy/MM"), dr.Item("CartTotal").ToString)
            total += CDbl(dr.Item("CartTotal").ToString)
        End With
        dr.Close()
        cn.Close()
        lblDisplayTotal.Text = Format(total, "#,##0")
    Catch ex As Exception
        cn.Close()
        MsgBox(ex.Message, vbCritical)
    End Try
End Sub

What I have tried:

VB

DataGridView1.Rows.Add(i, dr.Item("ProductID").ToString

Posted 8-Jul-24 11:55am

Raedr

Updated 8-Jul-24 14:19pm

Rick York

v3

Add a Solution

Comments

Dave Kreskowiak 8-Jul-24 19:11pm

OK, and? You haven't described a problem with any useful detail at all.
What does the code do? What is it expected to do? What is it actually doing? Any error messages? ...

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2024-07-08T19:00:00

Don't do it like that!
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?