not update the existing data

Question

with this code i am performing update...but whenever i am updating with the existing data is showing "record updated "...this i dont want...behalf of this i want record cant be updated becoz data is already exist...so how can i do this....help..

protected void Button2_Click(object sender, EventArgs e)//Update
{
    if (TexBo_num.Text == ""  &&  TexBo_num.Text != "contact_no" )
    {
        ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('contact number not be empty');", true);
    }
    else if(TxtBox_name.Text=="name" && TexBo_add.Text=="address" && TexBo_num.Text=="contact_no")
    {
        ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('can't update the same record');", true);
    }else
    {
        SqlConnection con = new SqlConnection(@"Data Source=SYSTEM2\SQLEXPRESS;Initial Catalog=amresh;Integrated Security=True");
        SqlCommand cmd = new SqlCommand("UPDATE detail SET name='" + TxtBox_name.Text + "',address='" + TexBo_add.Text + "',contact_no='" + TexBo_num.Text + "' WHERE contact_no='" + TexBo_num.Text + "'", con);
        con.Open();
        cmd.ExecuteNonQuery();
        ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('record updated');", true);
        con.Close();
    }
}

This is your sixth question and every question was vulnerable to sql-injection. Why don't you start using sql-parameters? It's very easy. — Tim Schmelter, Sep 23 '13 at 09:50
What happen if I write in `TexBo_num.Text` `1');DROP TABLE detail;--` Don't try it, just imagine it or go to this post http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work — Steve, Sep 23 '13 at 09:51

score 1 · Answer 1 · answered Sep 23 '13 at 09:49

1

If you don't want the message to be displayed, remove this line:

ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('record updated');", true);

Also, use paramertized queries because you're vulnerable to SQL injection attacks.

cmd.CommandText = "UPDATE detail SET name=@name,address=@address,contact_no=@contactno WHERE contactno = @contactno");

cmd.Parameters.AddWithValue("@name", TxtBox_name.Text);  
cmd.Parameters.AddWithValue("@address", TxtBo_add.Text);  
cmd.Parameters.AddWithValue("@contactno", TexBo_num.Text);

answered Sep 23 '13 at 09:49

Darren

68,902
24
138
144

hay tim if i am updating without changing any data then it will show "record updated that i dont want.....so how can i prevent this" – amresh singh Sep 23 '13 at 10:04
reply no...@Tim Schmelter – amresh singh Sep 23 '13 at 10:20

score 1 · Answer 2 · answered Sep 23 '13 at 09:50

1

Try removing

ClientScript.RegisterStartupScript(this.GetType(), "myalert", "alert('record updated');", true);

from your else block

answered Sep 23 '13 at 09:50

iJade

23,144
56
154
243

not update the existing data

2 Answers2