1 
using System.Data.SqlClient;
using System.Data.Sql;

public partial class _Default : System.Web.UI.Page 
{


 SqlConnection con = new SqlConnection(@"Data Source=GAGAN-PC\SQLEXPRESS;Initial Catalog=update_test;Integrated Security=True");
    SqlCommand cmd;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void delete_button_Click(object sender, EventArgs e)
    {
        con.Open();
        cmd = new SqlCommand("delete from update_delete where id like'"+TextBox1.Text+"'",con);
        cmd.ExecuteNonQuery();
        Response.Write("Control reached.");
        con.Close();
        Response.Write("Data successfully deleted.");
    }
    protected void update_button_Click(object sender, EventArgs e)
    {
        con.Open();
        cmd = new SqlCommand("update update_delete set password ='"+TextBox3.Text+"' where id like'"+TextBox2+"'", con);
        cmd.ExecuteNonQuery();
        Response.Write("Control reached.");
        con.Close();
        Response.Write("Data successfully Updated.");
    }
}

I am trying to implement update query but there is a little problem in it. I have used SQL Server as database and update_delete is a table in which there are 3 columns id,sname,password and I am trying to update password with respect to id.

Problem is when I click on update button control reaches cmd.ExecuteNonQuery(); no error is displayed. but updating is not taking place. what should I do. Please Please Please help me. Thanks in advance. :) :)

Improve this question
4
  • 1
    So many IDisposable objects. So few Dispose calls :( Commented Nov 24, 2013 at 10:44
  • 1
    So many queries, so few parameters - so much SQL Injection dangers! Commented Nov 24, 2013 at 10:55
  • Incorrect, marc_s. You can use LIKE OPERATOR with numeric datatypes such as INT. It is not clear why someone would, but it does function as expected. Commented Nov 24, 2013 at 12:49
  • 1
    You should always use Parameterized Queries when collecting user input. This is one of the basics of web development. It helps prevent SQL injection attacks. There are multiple, very serious security issues in this example. Commented Nov 24, 2013 at 13:05

2 Answers 2

Reset to default
2

I'm just guessing here - if Id is a numeric datatype, then you cannot use LIKE with it.

Also: please use using()... blocks to ensure proper disposal and use parametrized queries to avoid SQL Injection attacks.

Write your UPDATE command like this:

protected void update_button_Click(object sender, EventArgs e)
{
    // get the values to use
    string idValue = Convert.ToInt32(TextBox3.Text.Trim());
    string password = TextBox2.Text.Trim();

    // define the query text with *parameters* !
    string updateQuery = "update update_delete set password = @password where id = @ID";

    // put things like SqlConnection and SqlCommand into "using()...." blocks
    using (SqlCommand updCmd = new SqlCommand(updateQuery, con))
    {
        // define parameters and their values
        updCmd.Parameters.Add("@password", SqlDbType.VarChar, 50).Value = password;
        updCmd.Parameters.Add("@ID", SqlDbType.Int).Value = idValue;

        con.Open();
        cmd.ExecuteNonQuery();
        con.Close();

        Response.Write("Data successfully Updated.");
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Another important note is that passwords should never be stored in plain text.
// define parameters and their values Is there any point to specifying the type as well? I know with some parameters you have to (e.g. TVPs) but otherwise AddWithValue has always worked fine for me and it's much less code.
@ta.speot.is: it's just a personal preference - I prefer to tell ADO.NET what my types are, rather than let it guess those from values I provide. What should it guess if you pass in a NULL ??
@marc_s Most .NET types have a well defined SqlDbType equivalent that seem pretty sensible. And if you pass in NULL you're passing in DBNull which as best I can tell would fall under Object and map to Variant: A special data type that can contain numeric, string, binary, or date data as well as the SQL Server values Empty and Null, which is assumed if no other type is declared.
@ta.speot.is: all you say is true - but still: if I pass in 42 - what is this? TINYINT ? SMALLINT ? INT ? I just prefer to be explicit about typing to control what gets used
|
1

I suppose you get an Exception. I would kindly suggest to catch your exception and tell us the message... You can catch the exception using the debugger or a try-catch clause.

If you don't get an exception and "Control reached" message is displayed, you would have to use the formed SQL string to use it directly in SQL Server and see if there is a mistake in the SQL statement. I suppose that you somehow form an invalid SQL statement (eg using a non-existing ID).

Hope I helped!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.