1

How can I modify my delete button code to delete a selected row from my SQL database? Currently when I select one row and click the delete button all the rows are deleted.

private void delete_button1_Click_1(object sender, EventArgs e)
    {
        if (dataGridView1.SelectedRows.Count > 0)
        {
            int selectedIndex = dataGridView1.SelectedRows[0].Index;
            string sqlquery;
            string ConString = ConfigurationManager.ConnectionStrings["ConString"].ConnectionString;
            MySqlConnection con = new MySqlConnection(ConString);
            con.Open();
            int rowID = int.Parse(dataGridView1[0, selectedIndex].Value.ToString());
            sqlquery = "DELETE FROM hotel_booking WHERE BookingID = BookingID";

            try
            {
                MySqlCommand command = new MySqlCommand(sqlquery, con);
                command.ExecuteNonQuery();
                string CmdString = "SELECT * FROM hotel_booking";
                MySqlDataAdapter sda = new MySqlDataAdapter(CmdString, con);
                DataSet ds = new DataSet();
                sda.Fill(ds);
                dataGridView1.DataSource = ds.Tables[0].DefaultView;
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }
    }
Improve this question
2
  • Your problem is here:sqlquery = "DELETE FROM hotel_booking WHERE BookingID = BookingID".That where part is always true. Commented Jun 28, 2016 at 14:12
  • What can I do to delete only the selected row? Commented Jun 28, 2016 at 14:12

3 Answers 3

Reset to default
2

Do not try to run this query, it will delete all of your rows

DELETE FROM hotel_booking WHERE BookingID = BookingID

BookingID = BookingID means it is always true

I think you are trying to use

int rowID = int.Parse(dataGridView1[0, selectedIndex].Value.ToString());
sqlquery = "DELETE FROM hotel_booking WHERE BookingID = "+ rowID;
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Sorry but this is not acceptable. You MUST use parametrized queries to avoid Sql Injection
I think there is no possible SQL injection, because you parse index of selected item and it is saved in integer. And numerical index can't be used to inject any Queries, can it ? If I am mistaken, then I am terribly sorry, but please prove me wrong by some facts. @Pikoh
Maybe in this particular case a SQL Injection is not very likely, but we all must get used to always use parametrized queries. This is even more important when dealing with newbies that doesn't understand when SQL Injection is likely, so we must teach them to use parametrized queries in al cases.
No problem :), but as @Pikoh said, you should not use this example. In this case it is ok to make the query look like this, but in other cases you should use his solution with parametrized query.
@RossH yes,it works but be very careful, you should use Parametrized queries. BTW, in my answer there was another typo, that's why it doesn't worked for you.
|
1

You are currently deleting all rows because of a mistake in your WHERE clause:

DELETE FROM hotel_booking WHERE BookingID = BookingID

deletes all rows because in each row BookingID equals BookingID.

You want to take rowID as criteria, so add it as a parameter:

int rowID = int.Parse(dataGridView1[0, selectedIndex].Value.ToString());
sqlquery = "DELETE FROM hotel_booking WHERE BookingID = @rid";   
try
{
    MySqlCommand command = new MySqlCommand(sqlquery, con);
    command.Parameters.Add("@rid", SqlDbType.Int).Value = rowID;
    command.ExecuteNonQuery();

Note that inserting user generated values directly into your query (like "WHERE BookingID = " + rowID...) is vulnerable to SQL Injection. Although for numeric types this is not such a big danger, you should generally use parameterized queries as above.

Improve this answer

Comments

1

Your problem is here:

sqlquery = "DELETE FROM hotel_booking WHERE BookingID = BookingID"

That where part is always true.

Change it to this:

sqlquery = "DELETE FROM hotel_booking WHERE BookingID = @BookingID"
try
        {
            MySqlCommand command = new MySqlCommand(sqlquery, con);
            command.Parameters.AddWithValue("@BookingID", rowID);
            command.ExecuteNonQuery();
            ...
Improve this answer

4 Comments

It's now saying rowId does not exist in the current context.
Sorry, a typo. It's rowID, so it should be command.Parameters.AddWithValue("@BookingId", rowID);, i've edited my answer
Still not working, when I click delete nothing happens at all. But no errors.
Debug your code and inspect what value of rowID is. Maybe is not a value present in the database

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.