A question regarding C# and SQL [closed]

Question

I want to perform the updation of the existing record.. the way that i have paste my code here i have successfully achieved my task but i dont want to do the updation by that way actually.. i want to do such that i get the id of the customer..

private void btnUpdate_Click(object sender, EventArgs e)
        {
            SqlConnection cn = new SqlConnection(@"Data Source=COMPAQ-PC-PC\SQLEXPRESS;Initial Catalog=Gym;Integrated Security=True");
            if (cn.State == ConnectionState.Closed)
            {
                cn.Open();
            }
            int result = new SqlCommand("Update Customer set Customer_Name = '" + tbName.Text + "',Cell_Number = '" + tbContactNumber.Text + "',Customer_Address = '" + tbAddress.Text + "' where CustomerID = " + tbID.Text, cn).ExecuteNonQuery();
            if (cn.State == ConnectionState.Open)
            {
                cn.Close();
            }
            cn.Dispose();

            BindGridView();
        }

private void BindGridView()
        {
            SqlConnection cn = new SqlConnection(@"Data Source=COMPAQ-PC-PC\SQLEXPRESS;Initial Catalog=Gym;Integrated Security=True");
            SqlCommand cmd = new SqlCommand("Select * from Customer", cn);
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataTable dt = new DataTable();
            da.Fill(dt);
            dgView_CustomerInfo.DataSource = dt.DefaultView;
        }

private void dgView_CustomerInfo_RowHeaderMouseClick(object sender, DataGridViewCellMouseEventArgs e)
        {

            tbID.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["CustomerID"].Value.ToString();
            tbName.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Customer_Name"].Value.ToString();
            tbContactNumber.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Cell_Number"].Value.ToString();
            tbAddress.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Customer_Address"].Value.ToString();
        }

Answer 1

Coding Gorilla above has already given you a perfectly good answer, and I support it.

The question you'll find yourself asking about 20 minutes after this goes live is: "Hey, how did all these hackers get my data?"

The method you have above is RIPE for SQL Injection. Read about it here: http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Don't put code like this into production. Sanitize your inputs and use parametrized queries for your DB interactions.

Answer 2

I think what you're asking is: How can I store the state of my Customer Id without putting in a text box.

There are a lot of ways to do this, I would do it using the ViewState like this:

public int CustomerId
{
   get { return (int)(ViewState["CustomerId"] ?? -1); }
   set { ViewState["CustomerId"] = value; }
}

You can read more about the ViewState here: http://msdn.microsoft.com/en-us/library/system.web.ui.control.viewstate.aspx

** EDIT **

If you're using a Windows forms application the ViewState will not work, that's for ASP.NET. Instead you should look at using a BindingSource control and read up on Databind in Winforms.

Answer 3

Do not use string concatenation when constructing your SQL!

Use parameterized statements with placeholders, and set the values using a Parameter object.