sql query

falles01

but I am concatenating C# with SQL so don't you use quotes so it knows what is C# code? EG. The SQL turns red and the C# remains black. If I don't use quotes it will be wrong. I have also used this for my insert statements which work perfectly. The ID is an int in the database. It has seemed that for my insert statements it only works when I use.Tostring which to me is strange. Also the only reason I had to change everything to public was because I am using inheritance. I ahve decided against that now. I am not on contracted work, I am a permanent worker who has been given the opportunity to learn C#.

Christian Graus

falles01 wrote:

Also the only reason I had to change everything to public was because I am using inheritance. I ahve decided against that now.

The two do not follow. Protected gives you things that are private, but visible in derived classes.

falles01 wrote:

but I am concatenating C# with SQL so don't you use quotes so it knows what is C# code?

What I mean is, your final SQL will look like this: where id ='323' or something The id should not be in quotes if it's a number, unless Access is different in that regard. I'm talking about the ' in your generated string, not the quotes around the static strings.

falles01 wrote:

It has seemed that for my insert statements it only works when I use.Tostring which to me is strange.

You may have to use ToString to get a string when yuo're building the SQL, which is a string. Howver, if you concatenate a string and an int, the int should go tostring by itself.,

falles01 wrote:

I am not on contracted work, I am a permanent worker who has been given the opportunity to learn C#.

I just read back on your older thread, so I get your situation now. Did you try getting the SQL out of the debugger and pasting it into Access ? Also, what does your data access code look like ? Ideally, you'd have all your data access via stored procs, and seperated into a dll. For now, I'd recommend you create a class whose sole job is to manage any database calls, and put any data access in there. Make it static, and just call the methods to run the SQL, so in this instance, the method would take two params ( the name and the id ). you can then add methods to 'sanitise' your input against SQL injection attacks, but even if yuo don't, it makes sense to centralise your SQL, not least so you can reuse it if need be.

Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )

Dave Kreskowiak

falles01 wrote:

but I am concatenating C# with SQL so don't you use quotes so it knows what is C# code?

No. The SQL String you built using this code is:

UPDATE employees SET Fullname = 'someTextBoxValue' Where EmployeeID = 'someIdValue'

Because of the single quotes around the IDValue, you've told SQL to treat it as a string. So, is this value a string in your table or are you telling SQL to find a string value in a numeric column? You really need to translate this code into an SQL parameterized query. That way, you don't make the mistake of quoting numbers or haveing a user enter a quote in a textbox, then having that screw up your concatentated string, thereby making an invalid SQL statement.

A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
     2006, 2007

Colin Angus Mackay

Please read SQL Injection attacks and tips on how to prevent them.[^]

---

-- Always write code as if the maintenance programmer were an axe murderer who knows where you live. Upcoming FREE developer events: * Glasgow: Agile in the Enterprise Vs. ISVs, Mock Objects, SQL Server CLR Integration, Reporting Services, db4o ... * Reading: SQL Bits My website

Christian Graus

*grin* I've told her that three times now. I suspect she's completely overwhelmed by being given a task that she was not hired for, so I'm recommending she create a data layer that she can easily work through to fix the injection stuff later, if she chooses not to do it now.

Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )

falles01

Okay okay..I will read up on injection attacks. I just wanted to get this working first as I only have a few days to cmplete this before they may possibly ask me to go back to my previous job. I am hoping they will give me an extension because I would obviously want to make it as safe as possible. at the moment I am only using dummy data in the database. Thanks;P

falles01

My sql update query now works correctly. I asked for more help around me and worked out some things for myself. I found that if I put the code for the save button at the bottom of the page it works exactly the same way. Strange. :-D

Christian Graus

If you need to impress by a deadline, I'd say get features in there, and add comments about your intention to move to a better data layer, so that you're covered if someone looks at it later, but you focus on progress that will impress and get you your extension. This is no way to write software, but that's not your fault, obviously.

Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )

Vasudevan Deepak Kumar

This query is really good in one way. It can clean the database in just one shot. :mad: P.S.: I actually indicated about the vulnerability of SQL Injection that this query is bearing on it. :)

Vasudevan Deepak Kumar Personal Homepage Tech Gossips

Christian Graus

Thanks for adding that, there was a danger that she missed the three people who told her already...

Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )