0

I am trying to update a set of data onButtonClick . i have a username , date of birth , with CurrentEmailAddress, NewEmailAdrress, ConfirmNewEmailAddress

Im trying to update all of them on a single click. I am able to update the username , but i couldnt update the date of birth and email address.

Below is my c# code: do note that myDBmanager is to execute the update and it has no problem 

 //SQL query
        string updateSQL = "UPDATE user_profile,user_login SET ";
        updateSQL += "user_profile.user_name = '" + txtUserName.Text + "', ";
        updateSQL += "user_profile.user_dob = '" + txtDateOfBirth.Text + "'";


            if (txtNewPassword.Text != " " && txtNewEmailAddress.Text == " ")
            {
                updateSQL += ", user_login.user_passw = '" + txtNewPassword.Text + "'";
            }
            else if (txtNewPassword.Text == " " && txtNewEmailAddress.Text != " ")
            {
                updateSQL += ", user_profile.user_email = '" + txtNewEmailAddress.Text + "'";

            }
            else if (txtNewPassword.Text != " " && txtNewEmailAddress.Text != " ")
            {
                updateSQL += ", user_login.user_passw = '" + txtNewPassword.Text + "',";
                updateSQL += "user_profile.user_email = '" + txtNewEmailAddress.Text + "'";
            }
            else { }

            updateSQL += " WHERE user_profile.user_profile_id = 1 ";
            updateSQL += " AND user_login.user_profile_id = 1 ;";
            updateSQL += Global.myDBManager.GetNewIndex();

            int update = Global.myDBManager.ExecuteSql(updateSQL);



        //Close connection
        Global.myDBManager.Disconnect();
Improve this question
16
  • Are you getting an exception? Commented Jun 28, 2011 at 7:10
  • 8
    You really really really want to use command parameters. Building sql queries via string concatenation from user input IS EVIL. Commented Jun 28, 2011 at 7:10
  • Can you post the full SQL that you're executing in the question, I think that may help us come up with an answer. I find your code a little strange, why are you checking the password field in each if statement? That seems odd. And the last else {} doesn't do anything. Commented Jun 28, 2011 at 7:11
  • Second @ChrisWue, string concat is the recipe for SQL injection hacks (granted this may be a WinForms app, but it's still a bad practice, stay clear). Commented Jun 28, 2011 at 7:12
  • updateSQL += " AND user_login.user_profile_id = 1 ;"; Notice the double ";" and then you add updateSQL += Global.myDBManager.GetNewIndex(); Thus, you are actually running 2 queries (?). Anyways, what does GetNewIndex() do? Commented Jun 28, 2011 at 7:14

2 Answers 2

Reset to default
3

Listen to the comments in this question - what you are doing, aside from not actually working for you, is very dangerous, and ripe for SQL Injection attacks. Google for "sql injection c#" and implement a solution - this article looks good:

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Once you've fixed that, you probably had/have some sort of simple code bug that is preventing your code from working, because your method (aside from the vulnerabilities) doesn't look too bad.

Stick a breakpoint on the top of the method, and work through the method, making sure the sql string is being built up as expected.

Hope that helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

For checking empty string, use

!string.IsNullOrWhiteSpace(txtNewPassword.Text)

instead of 

txtNewPassword.Text != " "

Thanks Ashwani

Improve this answer

3 Comments

Very good practice to use that instead yes (if he's using .NET 4)
yes im using it but i got a error saying that Error 10 'string' does not contain a definition for 'IsNullOrWhiteSpace'
It's new for .NET 4. You can use IsNullOrEmpty, but it won't trim whitespace for you, so you have to do that manually.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.