How to update and insert current data into a database then print all with one button.

Question

0.00/5 (No votes)

See more:

I have a three web forms. Two of them saves data that the user enters. They work fine. The third web form has a Submit button on it that will take the data from one database and insert it into another on on button click. The same button will also print a report using CR. My SQL statement is not working for the third web form for inserting. What did I do wrong?

Here is my code:

C#

protected void ButtonSubmit2_Click(object sender, EventArgs e)
        {

            SqlConnection con2 = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
            con2.Open();

            SqlCommand scmd3 = new SqlCommand("Select User_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b,INST_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, FTEYR, THCAS, FTE40, HC50, FTE4050 from Table2 where User_ID = '" + TextBoxUser_ID.Text + "'", con2);

            SqlCommand cmd = new SqlCommand("Insert into Table1 (User_ID, FT_UNDERGR, DATE, FT_GRAD, FTE_UNDERG, FTE_GRAD, NON_CREDIT, TOTAL_FTE, FCFTUHC, FCFTPBHC, FCPTUHC, FCPTPBHC, NCHC, UnderG12, Postb9, Total123b4b, FTEYR, THCAS, FTE40, HC50, FTE4050);", con2);
con2.Close();

Posted 30-Oct-14 7:41am

Computer Wiz99

Add a Solution

Comments

Richard Deeming 30-Oct-14 13:44pm

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Computer Wiz99 30-Oct-14 13:46pm

How when selecting? Plus, is my SQL statement right for writing code to another table?

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2014-10-30T08:11:00

First problem: Your select command (scmd3) is using string concatenation to insert the user ID, leaving it vulnerable to SQL Injection[^].

Second problem: You have two separate commands which know nothing about each other. The data returned from scmd3 isn't going to magically transfer itself to the INSERT statement in cmd.

Third problem: You never execute either command.

The solution is simple: combine the two commands into a single INSERT statement:

C#

const string commandText = @"INSERT INTO Table1 
(
    User_ID, 
    FT_UNDERGR, 
    DATE, 
    FT_GRAD, 
    FTE_UNDERG, 
    FTE_GRAD, 
    NON_CREDIT, 
    TOTAL_FTE, 
    FCFTUHC, 
    FCFTPBHC, 
    FCPTUHC, 
    FCPTPBHC, 
    NCHC, 
    UnderG12, 
    Postb9, 
    Total123b4b, 
    FTEYR, 
    THCAS, 
    FTE40, 
    HC50, 
    FTE4050
)
SELECT
    User_ID, 
    FT_UNDERGR, 
    DATE, 
    FT_GRAD, 
    FTE_UNDERG, 
    FTE_GRAD, 
    NON_CREDIT, 
    TOTAL_FTE, 
    FCFTUHC, 
    FCFTPBHC, 
    FCPTUHC, 
    FCPTPBHC, 
    NCHC, 
    UnderG12, 
    Postb9, 
    Total123b4b,
    FTEYR, 
    THCAS, 
    FTE40, 
    HC50, 
    FTE4050
FROM
    Table2
WHERE
    User_ID = @UserID
;";

using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
using (SqlCommand cmd = new SqlCommand(commandText, con))
{
    cmd.Parameters.AddWithValue("@UserID", TextBoxUser_ID.Text);
    
    con.Open();
    cmd.ExecuteNonQuery();
}