0

I have a winform which i have attached here.. When i Insert record in Customer table, I also want to add the record in the orderlineitems table in my database as of which the record in the Order table will also be inserted. I have inserted the record in Customer table but when i insert record in OrderLineItems table, it shows an error.

I also wanted to ask that, my OrderLineItems Table in database contains columns as :

  1. ID(pk)
  2. OrderID(pk)
  3. Quantity
  4. Particular
  5. Rates
  6. Status

On my Form, I have only quantity, particular and rates fields from which i can get their values but i dont have Status and Orderid values on my winform. how do i get the values of status and orderId then?

My Code is:

private void buttonInsert_Click(object sender, EventArgs e)
    {
        string SQL = String.Format("Insert into Customer values ('{0}','{1}','{2}')", textBoxName.Text, textBoxContactNo.Text, textBoxAddress.Text);
        //string SQL1 = String.Format("Insert into Order values ({0},'{1}','{2}',{3})",);
        DataManagementClass dm = new DataManagementClass();

    int result = dm.ExecuteActionQuery(SQL);
    if (result > 0)
    {

        for (int i = 0; i < recordsDataGridView.RowCount ; i++)
        {
            string query = String.Format("Insert into OrderLineItems values({0},'{1}','{2}','{3}',{4})",7,QuantityColumn, ParticularColumn, RatesColumn,1);
            dm.ExecuteActionQuery(query);
        }
        //string query = String.Format("Insert into OrderLineItems values ('{0}','{1},'{2}'

    }

What am i doing wrong here. please guide me the correct way. Thanx.. WinForm Image

Improve this question
3
  • 1
    what error is it showing? any reason you cannot use LINQ to SQL by the way? Commented Sep 28, 2011 at 19:51
  • 1
    Let's hope textBoxName.Text doesn't contain value ' OR 1=1; DROP TABLE Customer;-- Commented Sep 28, 2011 at 19:51
  • it shows string value can not be converted into int Commented Sep 28, 2011 at 19:54

2 Answers 2

Reset to default
2

Suggest a few enhancements to get your business logic working and maintainable:

  • write a stored procedure for your CreateCustomer and CreateLineItem routines in your database.
  • use a SqlCommand and its Parameters collection. Stop whatever you're doing right now and guard against SQL injection.
  • remove all this code from the button click event.
  • create new methods like CreateCustomer and CreateLineItems. Call these method from your button click handler method.
 private void buttonInsert_Click(object sender, EventArgs e)
 {
   int result = CreateCustomer(textBoxName.Text.Trim(),
                               textBoxContactNo.Text.Trim(),
                               textBoxAddress.Text.Trim());
    if (result > 0)
    {
       foreach(var row in recordsDataGridView.Rows)
       {
           CreateLineItem(quantity, particulars, rates);
       }
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

p.campell, i dont know why do i scare from stored procedures, may b i dont know how to do work by using them. i will definitely learn to use storedprocedures.
1

You are inserting values like this: '{1}','{2}','{3}'

This leads me to assume you are inserting string values.
If there is an apostroph in your string values, it will cause a syntax error.
Try 

yourstring.replace("'", "''")

on the arguments.


Also, do as p.campbell suggest..
Use parameters to prevent SQL injection..
Somebody might malicously take advantage of your code's open security holes..

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.