where i am wrong suggest me alternative

Question

0.00/5 (No votes)

See more:

//this code is used when employee is applying for Claim(emp module code)

C#

using (SqlCommand _oCmd = new SqlCommand())
            {
                _oCmd.Connection = _oCon;
                _oCmd.CommandType = CommandType.StoredProcedure;
                _oCmd.CommandText = "dbo.stp_iOpdClaim";
              _oCmd.Parameters.Add(new SqlParameter("@userid", lbldisplay.Text.Trim().ToString()));
                _oCmd.Parameters.Add(new SqlParameter               ("@claimamt",txttotalcost.Text.Trim().ToString()));

                _oCmd.Parameters.Add(new SqlParameter("@status", "pending"));
                _oCmd.Parameters.Add(new SqlParameter("@Balance",15000));
                       
                _oCmd.ExecuteNonQuery();
                ClearControls();
                GetSaveMessage();
            }
        }

emp can claim upto 15000 that's why 15000 is store in Balance

//admin module code for approving/reject claim

from 1ST claim suppose i apply for 5000 claim amt then admin will verify it and approve it so in database 10000 is save for 1st claim whenver i claim from 2nd timeclaim amt for 2nd claim will subtract from 10000 but it was subtracted from 15000 only plz ckeck code where i am wrong suggest me alternative

C#

_sr = Request.QueryString["sr"].ToString();

 protected void SaveDetail()
    {
        
        DataSet ds = new DataSet();
        DB obj = new DB();
        string str = "update tbl_OpdClaim set Balance =" + txtbalance.Text + " ,status='" + txtstatus.Text + "' where userid='" + _sr.ToString() + " ; 
    
        obj.execute_dml(str);
        GetSaveMessage();
        obj.close();
       

    }

 protected void cmdverify_Click(object sender, EventArgs e)
    {
        DataSet ds = new DataSet();
                                
        DB obj = new DB();
    
        
   string str = "select totalamt,Balance from tbl_OpdClaim where userid='" + _sr.ToString() + "'";
                 ds = obj.getdataset(str);
        
       double  bal = Convert.ToDouble(ds.Tables[0].Rows[0]["Balance"].ToString());
        double  claimamt = Convert.ToDouble(ds.Tables[0].Rows[0]["totalamt"].ToString());
         if (claimamt < bal)
             bal = bal - claimamt;
         txtbalance.Text = bal.ToString();
                  
    }
    protected void rdbStatuschange_SelectedIndexChanged(object sender, EventArgs e)
    {
        if (rdbStatuschange.SelectedValue == "Approved")
        {
            txtstatus.Text = "Approved";
                       
        }
        else
        {
            txtstatus.Text = "Rejected";
        }
    }

Posted 21-May-11 6:44am

invisible@123

Updated 21-May-11 6:49am

Wonde Tadesse

v2

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Wonde Tadesse · Accepted Answer · 2011-05-21T06:58:00

One error that I can see is the update SQL statement is not completed. You missed the last single quote.

C#

string str = "update tbl_OpdClaim set Balance =" + txtbalance.Text + " ,status='" + txtstatus.Text + "' where userid='" + _sr.ToString() + "'" ;

General comment:

You started as good approach which is parameterized query and you mixed with SQL statement which is bad.As Christian Graus said you might be exposed to SQL Injection[^].

Christian Graus · Accepted Answer · 2011-05-21T06:49:00

Solution 1

Your code is a disaster. I can erase your database any time I like, by entering the right text in to txtBalance or txtStatus. Read up on SQL injection, fix your code, use the debugger to walk through what is going on, and then ask again, reporting the steps you took, and what you found.

Posted 21-May-11 6:49am

Christian Graus

Comments

invisible@123 21-May-11 12:55pm

but sir my txtbalance and txtstatus is readonly