0
I’m developing a software that catalogs manga, one of the problems I’m having is with input volumes. What should happen: the user set the numVolumes to 2, that is, he will add 2 more volumes of manga to manga table. But that code isn’t working. numVolues é NumericUpDown e o txtIdtambém.
private void btndicionar_Click(object sender, EventArgs e)
{
strMysql = "update manga set volumes = volumes + " + Convert.ToInt(numVolumes.Value) + " where idManga " + txtId.Value + ";";
MySqlCommand comando = new MySqlCommand(strMysql, con);
try
{
con.Open();
//eu comentei esses códigos por não achar necessário
//comando.Parameters.Clear();
//comando.Parameters.AddWithValue("@soma", numVolumes.Value);
comando.ExecuteNonQuery();
}
catch (Exception erro)
{
MessageBox.Show("Ocorreu um erro:\n" + erro);
}
finally
{
con.Close();
}
Better so, because this code suffers from SQL Injection, so not working is much more interesting, fix it first and you know how to do because it is in the comments, then think about the solution to this sum problem (I know someone will answer this without worrying about security because it’s easy not to have responsibility about the mistake. There are still conversion errors that will break the application and catch the wrong exception. Search here on the site that has how to do the right way.
– Maniero
The line that begins with
strMysql = "update...has an error, if it is a string, theConvert.ToInt(numVolumes.Value)will fail to concatenate, if you leave only thenumVolumes.Valueshould work– Ricardo Pontual
But as already commented, to do to avoid SQL Injection would be interesting to mount a parameterized query, there are examples here on the site. If you don’t find what you need, comment here to help
– Ricardo Pontual
is missing equal sign -> " Where idManga = ", if text type put the equal sign and single quotes concatenating with parameter and ending with single quotes.
– Danielle Arruda torres