0

I use select query to read the values and then reinsert(Not update) them with some updates with the code below. I am trying to run this query with insert and select the same time but is not working and I don't take any errors.

string docdetls = "Insert into DocDetls (DocStatus,  DocType, DocNo,SeqNo,ItemCode,Quantity,Price,Disc,DiscAmount,VAT,ExpDate)"+
                    "(SELECT 2 as DocStatus,  DocType, @newdocno as DocNo,SeqNo,ItemCode,Quantity,Price,Disc,DiscAmount,VAT,ExpDate FROM docdetls where  DocStatus=@stat and DocNo=@docno)";
MySqlCommand cmd4 = new MySqlCommand(docdetls, con);
cmd4.Parameters.AddWithValue("stat", "1");
cmd4.Parameters.AddWithValue("newdocno", DocNoTxtBox.Text);
cmd4.Parameters.AddWithValue("DocNo",no );
con.Open();
cmd4.ExecuteNonQuery();
con.Close();

If I run the same query on mysql workbench with some values is working. Is this possible?How i can make this work?

UPDATE after the answer

       string docdetls = "Insert into DocDetls (DocStatus,  DocType, DocNo,SeqNo,ItemCode,Quantity,Price,Disc,DiscAmount,VAT,ExpDate)"+
                        "(SELECT 2 as DocStatus,  DocType, @newdocno as DocNo,SeqNo,ItemCode,Quantity,Price,Disc,DiscAmount,VAT,ExpDate FROM docdetls where  DocStatus=@stat and DocNo=@docno)";
                    MySqlCommand cmd4 = new MySqlCommand(docdetls, con);
                    cmd4.Parameters.AddWithValue("stat", "1");
                    //cmd4.Parameters.AddWithValue("newdocno", DocNoTxtBox.Text);
                    cmd4.Parameters.AddWithValue("DocNo",no );
                    cmd4.Parameters.Add("@newdocno", MySqlDbType.Int16).Value = DocNoTxtBox.Text;
                    con.Open();
 cmd4.ExecuteNonQuery();
                    con.Close();

Still not working..

Improve this question
1
  • The question is about inserting with select. Not about insert and select. Commented May 6, 2019 at 5:54

2 Answers 2

Reset to default
1

I see a few things;

You can't parameterize your column names. You can only parameterize your values. That's why @newdocno as DocNo should not work. If you want to take this column as an input, you really do some strong validation before you concatenate it in your string or use a white list.

For being more clear, you should define your parameter names in your command and your parameter collection identical. That means, if you have

where  DocStatus=@stat and DocNo=@docno

in your command, your parameter collection should be as;

cmd4.Parameters.AddWithValue("@stat", "1");
cmd4.Parameters.AddWithValue("@DocNo",no );

As a best practice, don't use AddWithValue method. It might generates unexpected and surprising results. Use .Add() method to specify your parameter type and it's size instead.

And use using statement to dispose your database connections and commands automatically instead of calling Close methods manually.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

And what about @newdocno? i need it.. Is there a way put it?
Is the only option white list? Can you show me an example with my code how to do white list?
@marios I mentioned it in my answer. You try to parameterize your column name which is not allowed. You should use string concatenation for your column but before you do it, you need to use really strong validation before you put it in your sql or create a whitelist which it includes valid column names.
I dont need validation for this textbox because i generate the number from my code and put it there and i set enable=false..
Your answer didnt help me to solve my problem! I cant accept it
0

I have done it with the code below 

 string docdetls = "Insert into DocDetls (DocStatus,  DocType, DocNo,SeqNo,ItemCode,Quantity,Price,Disc,DiscAmount,VAT,ExpDate)"+
                        "(SELECT 2 as DocStatus,  DocType, @newdocno as DocNo,SeqNo,ItemCode,Quantity,Price,Disc,DiscAmount,VAT,ExpDate FROM docdetls where  DocStatus=@stat and DocNo=@docno)";
                    MySqlCommand cmd4 = new MySqlCommand(docdetls, con);
                    cmd4.Parameters.AddWithValue("stat", "1");
                    //cmd4.Parameters.AddWithValue("newdocno", DocNoTxtBox.Text);
                    cmd4.Parameters.AddWithValue("DocNo",no );
                    cmd4.Parameters.Add("@newdocno", MySqlDbType.Int16).Value = DocNoTxtBox.Text;
                    con.Open();
                    cmd4.ExecuteNonQuery();
                    con.Close();
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.