How to create command line update fields from the board

Asked

Viewed 57 times

-2

I have a job to insert, update and delete. The insert and delete are working properly. So, I have a problem with the update that that would be: 

 cmd.CommandText = "Update carros set placa='" + campoplaca.Text + "', marca='" + campomarca.Text + "' where placa='" + campoplaca.Text + "' and marca= '" + campomarca.Text + "'";

In my project I have as values : 

id=int pk
placa=nvarchar
marca=nvarchar
modelo=nvarchar
combustivel=nvarchar
potencia=int
ano=int
preco=int

So my question is how to proceed with this command line. Where already exists plate and mark, my wish Where is to change by the board and then the other fields. More will be needed the and in all?

private void btAtualizar_Click(object sender, EventArgs e)
        {
            SqlCeConnection conn;
            try
            {
                conn = new SqlCeConnection(" Data Source = C:\\Users\\Admin\\Documents\\Visual Studio 2015\\Projects\\WindowsFormsArrayEx03\\BD_Teste.sdf; Password ='' ");
                conn.Open();
                MessageBox.Show("ATUALIZADO!!!");

            SqlCeCommand cmd = conn.CreateCommand();

            cmd.CommandText = "Update carros set placa='" + campoplaca.Text + "', marca='" + campomarca.Text + "' where placa='" + campoplaca.Text + "' and marca= '" + campomarca.Text + "'";

            cmd.ExecuteNonQuery();
            conn.Close();
        }
        catch (Exception ex)

        {
            MessageBox.Show(ex.StackTrace);

        }
    }
c#

  • Actually, it’s not even put and for update. The card is your primary key?

  • This way of doing it has a fundamental error. There is a huge security flaw. If you start to fix it, it is already a good way to fix the rest. Veja: http://answall.com/q/104614/101. OU http://answall.com/q/136287/101 (Check most voted, the ceita insists on the error).

  • 3

    @Gabrielfalieri puts "and" or "or" yes to update if necessary. No restrictions. Beware of generalized statements.

  • my primary key is id, but soon I will not use it to update and yes the card

1 answer

1

First, it is not advisable to concatenate sql statements as you did.

cmd.CommandText = "Update carros set placa='" + campoplaca.Text + "', marca='" + campomarca.Text + "' where placa='" + campoplaca.Text + "' and marca= '" + campomarca.Text + "'";

See a possibility for your example, make your where using the table’s primary key. So that way you can change both the placa as the marca in the same instruction update.

cmd.CommandText = "Update carros set placa=@placa, marca=@marca where id=@id";
cmd.Parameters.Add(new SqlParameter { ParameterName = "@placa", Value = placa });
cmd.Parameters.Add(new SqlParameter { ParameterName = "@marca", Value = marca });
cmd.Parameters.Add(new SqlParameter { ParameterName = "@id", Value = id});

  • Thank you I will test

  • I ended up using the code like this , but I think the problem may be when updating the parameters in int as power, year and price

  • Good, here are the reasons to use it this way. http://www.cdvagabundo.com.br/imagens/sql-injection-urbano .... e https://pt.wikipedia.org/wiki/Inje%C3%A7%C3%A3o_de_SQL

Browser other questions tagged c#

You are not signed in. Login or sign up in order to post.