Error saving BD change in C#

Question

Error saving BD change in C#

Asked 5 years, 3 months ago

Viewed 86 times

3

I have a certain error when making changes to some data registered in the database, picture below the error

also follows the code used:

private void btnSalvar_Click(object sender, EventArgs e)
{
            conectar.Open();
            //Convertendo

            Converter = Convert.ToInt32(txtQuantidade.Text);
            converterdata = Convert.ToDateTime(DTPEntrada.Text);


            MySqlCommand Inserir = new MySqlCommand();
            Inserir.Connection = conectar;
            Inserir.CommandText = "UPDATE  Pacote SET Nome = '" + txtNome.Text + 
                "', Quantidade = '" + Converter + "', peca =" + cbxPeca.Text + 
                ", Data_entrada = " + converterdata + " WHERE ID_Pacote =" + alterar2 +  " ";


            Inserir.ExecuteNonQuery();
            conectar.Close();
            alterar2 = 0;
            txtNome.Text = "";
            txtQuantidade.Text = "";
            //txtDescricao.Text = "";
            MessageBox.Show("Pacote alterado", "Concluido",
              MessageBoxButtons.OK,
              MessageBoxIcon.Information);
            selecionarCategoria();


        }

Also follows the Bank Code:

    CREATE DATABASE ProdPacote;
USE ProdPacote;

CREATE TABLE Produto(
ID_Produto INT PRIMARY KEY AUTO_INCREMENT,
Nome VARCHAR (200) NOT NULL,
Descricao VARCHAR (200) NOT NULL,
Preco DOUBLE NOT NULL,
`status` TINYINT NOT NULL);  

CREATE TABLE Pacote(
ID_Pacote INT PRIMARY KEY AUTO_INCREMENT,
Nome VARCHAR (200) NOT NULL,
peca VARCHAR (200) NOT NULL,
Quantidade INT NOT NULL,
Data_entrada DATETIME NOT NULL);





CREATE TABLE Produto_Pacote(
ID_Produto_Pacote INT PRIMARY KEY AUTO_INCREMENT,
Data_Hora DATE NOT NULL,
FK_ID_Produto INT NOT NULL,
FK_ID_Pacote INT NOT NULL,

CONSTRAINT Produto_Pacote
FOREIGN KEY (FK_ID_Produto)
REFERENCES Produto (ID_Produto),

CONSTRAINT Pacote_Produto
FOREIGN KEY(FK_ID_Pacote)
REFERENCES Pacote(ID_Pacote));

It has a lot of problem in its code Pietro, the Insert is extremely vulnerable to SQL Injection with the code this way, besides the error in the concatenation that makes not even the insertion work.

– George Wurthmann

2019/04/04 at 02:43

2 answers

3

The ideal is to do the Insert as in the example below:

MySqlConnection conn = new MySqlConnection(connString);
conn.Open();
MySqlCommand cmd = conn.CreateCommand();

cmd.CommandText = @"UPDATE  Pacote SET Nome = ?Nome, Quantidade = ?Quantidade, 
                   peca = Peca ,Data_entrada = ?Data WHERE ID_Pacote = ?ID";

cmd.Parameters.Add("?Nome", MySqlDbType.VarChar).Value = txtNome.Text;
cmd.Parameters.Add("?Quantidade", MySqlDbType.Int32).Value = Converter;
cmd.Parameters.Add("?peca", MySqlDbType.VarChar).Value = cbxPeca.Text;
cmd.Parameters.Add("?Data", MySqlDbType.Date).Value = converterdata;
cmd.Parameters.Add("?ID", MySqlDbType.Int32).Value = alterar2;
cmd.ExecuteNonQuery();
conn.Close();

There are several questions here at Sopt that explain why it should not be as it is in your question:

We posted almost together xD, good response.

– Jéf Bueno

2019/04/04 at 02:56
@LINQ technical tie! xD

– George Wurthmann

2019/04/04 at 02:56
@Pietronunciaroni that answer is not mine.

– Jéf Bueno

2019/04/04 at 10:27
1

@Georgewurthmann, Thanks also man, as it was a technical tie I used the two kkk but ended up giving more right to yours on account of being mysql

– Pietro Nunciaroni

2019/04/04 at 10:27

Browser other questions tagged c# mysql winforms

You are not signed in. Login or sign up in order to post.

by Jéf Bueno • **67,331** points · Answer 1 · 2019-04-04T02:53:23+00:00

There are a number of problems there, but the main problem (which is causing the error in the case) is that your SQL command is wrong. You probably wrote something wrong precisely because it is very difficult to read this concatenation-filled code and understand something.

For easy reading, find the problem and still break avoid SQL Injection, use parameters.

inserir.CommandText = @"UPDATE Pacote SET Nome = @NOME,
                                          Quantidade = @QUANTIDADE, 
                                          Peca = @PECA, 
                                          Data_entrada = @DT_ENTRADA 
                                          WHERE ID_Pacote = ID_PACOTE"

command.Parameters.Add("@NOME", SqlDbType.VarChar);
command.Parameters["@NOME"].Value = txtNome.Text;
// ... Continue para todos os parâmetros

Now that I’ve rewritten your SQL, I realize the errors:

The value of Quantidade is in quotes - I imagine it’s an integer;
The value of Peca is not in quotes