How do I add textbox value with value in table using update command ?

Question

0.00/5 (No votes)

See more:

The user will input a value for Quantity in textbox. This value I want to add with the value present in Quantity column in the database. How I perform it ?

What I have tried:

cmd.CommandText = "update Books set Quantity=Quantity + txtUpdateQuantity.Text where Name='"+txtBookName.Text+"' and Author='"+txtBookAuthor.Text+"';";

Posted 1-Mar-17 22:56pm

Pallavi 24

Updated 1-Mar-17 23:11pm

Add a Solution

2 solutions

Solution 1

string qty = txtUpdateQuantity.Text;
           string book = txtBookName.Text;
           string author = txtBookAuthor.Text;
           SqlCommand cmd = new SqlCommand();
           cmd.Connection = con;
           cmd.CommandText = "update Books set Quantity=Quantity + @qty  where Name=@book and Author=@author ";
           cmd.Parameters.AddWithValue("@qty", qty);
           cmd.Parameters.AddWithValue("@book", book);
           cmd.Parameters.AddWithValue("@author", author);
           con.Open();
           cmd.ExecuteNonQuery();

Formatting the sql Query string is vulnerable to SQL Injection[^] attacks
always use Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]

Posted 1-Mar-17 23:08pm

Karthik_Mahalingam

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2017-03-01T23:11:00

Solution 2

Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
First, parse the numeric values to number variables:

C#

int qty;
if (!int.TryParse(txtUpdateQuantity.Text, out qty))
    {
    ... report a problem to the user ...
    return;
    }

Then try something like this:

C#

using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand cmd = new SqlCommand("UPDATE Books SET Quantity = Quantity + @QT WHERE [Name] = @NM AND Author = @AU", con))
        {
        cmd.Parameters.AddWithValue("@QT", qty);
        cmd.Parameters.AddWithValue("@NM", txtBookName.Text);
        cmd.Parameters.AddWithValue("@AU", txtBookAuthor.Text);
        cmd.ExecuteNonQuery();
        }
    }

Posted 1-Mar-17 23:11pm

OriginalGriff

Comments

Pallavi 24 3-Mar-17 9:10am

The ConnectionString property has not been initialized.
I am getting this error.

OriginalGriff 3-Mar-17 9:11am

And what did you put in strConnect?

Pallavi 24 3-Mar-17 9:22am

Thank you so much. I made changes and it is working now perfectly.

OriginalGriff 3-Mar-17 9:55am

You're welcome!

Pallavi 24 3-Mar-17 9:52am

I did not use connection string.Actually modified ur code and I used following code:
SqlCommand cmd= con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText="UPDATE Books SET Quantity = Quantity + @QT WHERE Name = @NM AND Author = @AU";
cmd.Parameters.AddWithValue("@QT", qty);
cmd.Parameters.AddWithValue("@NM", txtBookName.Text);
cmd.Parameters.AddWithValue("@AU", txtBookAuthor.Text);
cmd.ExecuteNonQuery();
MessageBox.Show("Updated successfully");
con.Close();