C# SqlCommand query with update

Question

I tried to find it. But I can't found exactly my answer. So I decide to ask this questions. I need your help.

I want add value into table value without overwriting Debit, Score column. It will add current value.

cmd = new SqlCommand("UPDATE Users SET Debit=@debit, 
                                       Score=@score 
                                 WHERE Phone=@phone", con);

con.Open();

cmd.Parameters.AddWithValue("@phone", textBox1.Text);
cmd.Parameters.AddWithValue("@debit", textBox2.Text);
cmd.Parameters.AddWithValue("@score", textBox3.Text);

cmd.ExecuteNonQuery();

MessageBox.Show("Амжилттай");
con.Close();

For example:

Table, Phone: 999 | Debit: 1500 | Score: 100 //current <br>

When I add value from textBox1 = 999, textBox2 = 500, textBox3 = 50

Table, Phone: 999, Debit: 2000, Score: 150 //updating like that

I know SQL query like that. But I don't know how to write code in SqlCommand

UPDATE Users 
SET Debit = Debit + [user input], Score = Score + [user input] 
WHERE = Phone

Any suggestions?

(Sorry for my horrible English I hope you guys understand What I'm trying to ask)

Thanks

you SqlCommand seems fine, what is the problem? – styx Oct 17 '17 at 06:45 — styx, Oct 17 '17 at 06:45

Dmitry Bychenko · Accepted Answer · 2017-10-18T19:58:38.977

If you want to add, just add:

cmd = new SqlCommand(@"UPDATE Users 
                          SET Debit = Debit + @debit, 
                              Score = Score + @score 
                        WHERE Phone = @phone", con);

Please, notice verbatim string @"..." syntax. Please, do not forget about disposing (explicit Close is an antipattern):

string sql = 
  @"UPDATE Users 
       SET Debit = Debit + @debit, 
           Score = Score + @score 
     WHERE Phone = @phone";

//TODO: put the right connection string instead of "MyConnectionStringHere"
//DONE: IDisposable (SqlConnection) should be wrapped into using 
using (var con = new SqlConnection("MyConnectionStringHere")) {
  con.Open();

  //DONE: IDisposable (SqlCommand) should be wrapped into using
  using (var cmd = new SqlCommand(sql, con)) {
    //TODO: AddWithValue is often a bad choice; change to Add 
    cmd.Parameters.AddWithValue("@phone", textBox1.Text);
    cmd.Parameters.AddWithValue("@debit", textBox2.Text);
    cmd.Parameters.AddWithValue("@score", textBox3.Text);

    cmd.ExecuteNonQuery();
    //TODO: a better policy is to read localized strings from resources
    MessageBox.Show("Амжилттай");
  }
}

It solved my problem. Thanks! I really appreciate that. :) – Tamiraa Aquarius Oct 17 '17 at 10:17 — Tamiraa Aquarius, Oct 17 '17 at 10:17

Saalim Bhoraniya · Answer 2 · 2017-10-17T11:04:47.010

1

This will help you....just try in this way..

SqlCommand cmd = new SqlCommand("UPDATE Users SET Debit = Debit + " + textBox2.Text + ", Score = Score + " + textBox3.Text + " WHERE Phone = " + textBox1.Text + "", con);
                con.Open();
                cmd.ExecuteNonQuery();
                MessageBox.Show("Амжилттай");
                con.Close();

OR

SqlCommand cmd = new SqlCommand("UPDATE Users SET Debit = Debit + @debit, Score = Score + @score WHERE Phone = @phone", con);
                con.Open();
                cmd.Parameters.AddWithValue("@phone", textBox1.Text);
                cmd.Parameters.AddWithValue("@debit", textBox2.Text);
                cmd.Parameters.AddWithValue("@score", textBox3.Text);
                cmd.ExecuteNonQuery();
                MessageBox.Show("Амжилттай");
                con.Close();

edited Oct 17 '17 at 11:04

answered Oct 17 '17 at 07:24

Saalim Bhoraniya

330
3
6

Please, do not *hardcode* sql, but use *parameters* (as in the question) – Dmitry Bychenko Oct 17 '17 at 09:09
but output will be same Dmitry Bychenko. – Saalim Bhoraniya Oct 17 '17 at 09:43
Yes, the output will be the same, but: 1. (Almost) all the queries will be different (so the optimizer should have to generate plans for each query); 2. The query is prone to **sql injection**: imagine that `textBox2.Text` contains, say, `123; --`. In this case you'll have the query: `"UPDATE Users SET Debit = Debit + 123 -- ..." (please, notice **commenting** `--`). So input `123; --` will update the *entire table*, not just the required phone – Dmitry Bychenko Oct 17 '17 at 09:48
ohhh..yes thanks a lot Dmitry Bychenko...my query is not secured. – Saalim Bhoraniya Oct 17 '17 at 10:13
I tried this way but it didn't solved my problem. I prefer to use Parameters – Tamiraa Aquarius Oct 17 '17 at 10:20

score 0 · Answer 3 · answered Oct 17 '17 at 06:50

0

You can use += operator for update. Change your sql command like this;

UPDATE Users SET Debit+=@debit, 
                 Score+=@score 
                                 WHERE Phone=@phone

answered Oct 17 '17 at 06:50

Abdulkadir Erkmen

202
1
4

C# SqlCommand query with update

3 Answers3