-1

The value of my ComboBox is from the sql database and its working great but I want to get the Med_id of the value inorder for me to add another entry

Med_ID is a foreign key from another table, is there a way to get it and add it to y ledger table?

here's the code: 

string MyConnection2 = "datasource=localhost;port=3306;user id=root;password=''";
string Query = "INSERT INTO
                newssph.ledger(Date, Reference, Rec_Qty, Iss_Qty, Bal_Qty, Med_ID)
                VALUES('" + txtdate.Text + "','" + comboBox4.Text + "','"
                          + this.txtrec.Text + "','" + this.txtissue.Text +
                          "','" + this.txtbal.Text + "','" + id + "','" +
                      "');";
MySqlConnection MyConn2 = new MySqlConnection(MyConnection2);
MySqlCommand MyCommand2 = new MySqlCommand(Query, MyConn2);
MySqlDataReader MyReader2;
MyConn2.Open();
MyReader2 = MyCommand2.ExecuteReader();
MessageBox.Show("Data Added");
Brian
  • 5,069
  • 7
  • 37
  • 47
Joshua C. Tuonan
  • 9
  • 2
  • 9
  • 4
    You need to parameterize your queries. Read up on sql injection, this is a textbook example. You also might look into moving your connection string to a config file. – Sean Lange Jul 31 '15 at 18:01
  • string selected = (string)cbmed.SelectedItem; string id = "SELECT Med_ID from medicine where Item='" + selected + "'"; – Joshua C. Tuonan Jul 31 '15 at 18:02
  • 1
    I don't even know what your last comment means but it is nothing like parameterized queries. Is Med_ID the value for your combobox? If so, you can get the value from the combobox. – Sean Lange Jul 31 '15 at 18:03
  • if you are going to post code.. then please post all relevant code that pertains to your issue also do not post code in your comments, update / edit the original question – MethodMan Jul 31 '15 at 18:03
  • 1
    @JoshuaC.Tuonan - No. What Sean meant was [this](http://stackoverflow.com/questions/652978/parameterized-query-for-mysql-with-c-sharp). – Brian Jul 31 '15 at 18:04
  • No, the value of my combobox is the description of the med_ID – Joshua C. Tuonan Jul 31 '15 at 18:04
  • Sorry im new with this – Joshua C. Tuonan Jul 31 '15 at 18:09
  • I would move to a stored procedure. It makes your code cleaner, gives you better separation of code and data. Why is the value the description of med_ID? Shouldn't the value be the med_ID so you can use it? The text value is what you want displayed. – Sean Lange Jul 31 '15 at 18:10

1 Answers1

0

There are a LOT of issues with the code you posted. You seem to be using improper controls for things. A textbox is NOT a good choice for dates or numbers. If possible I would suggest giving your database columns better names too. What is date? Is that the date entered, edited, due, expired?? Just a few characters adds a LOT of clarity. If this was my code I would move this insert to a stored procedure but this is how you can turn this code into something safe from sql injection.

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["YourConfigKeyHere"].ConnectionString))
            {
                conn.Open();
                using (SqlCommand cmd = new SqlCommand())
                {
                    cmd.Connection = conn;
                    cmd.CommandText = "insert into newssph.ledger(Date, Reference, Rec_Qty, Iss_Qty, Bal_Qty, Med_ID) values(@Date, @Reference, @Rec_Qty, @Iss_Qty, @Bal_Qty, @Med_ID)";
                    cmd.CommandType = CommandType.Text;
                    cmd.Parameters.Add("@Date", SqlDbType.DateTime).Value = txtdate.Text; //Why are you using a textbox instead of a datepicker???
                    cmd.Parameters.Add("@Reference", SqlDbType.VarChar, 25).Value = comboBox4.Text; //Seriously??? comboBox4??? Give your controls names
                    cmd.Parameters.Add("@Rec_Qty", SqlDbType.Int).Value = this.txtrec.Text; //Why are you again using text? this should be a control that only allows numbers
                    cmd.Parameters.Add("@Iss_Qty", SqlDbType.Int).Value = this.txtissue.Text;
                    cmd.Parameters.Add("@Bal_Qty", SqlDbType.Int).Value = this.txtbal.Text;
                    cmd.Parameters.Add("@Med_ID", SqlDbType.Int).Value = this.comboBox4.Value;
                    cmd.ExecuteNonQuery();
                }
            }
Sean Lange
  • 33,028
  • 3
  • 25
  • 40
  • Notice I used explicit datatypes for all the parameters. You may run into suggestions to use AddWithValue to avoid being forced to be explicit but it can sometimes get things wrong because it is has to interrogate the database to know what type to pass. http://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/ – Sean Lange Jul 31 '15 at 18:21
  • Sorry, Im new with this. I wanted to use date and time picker for the date but I only want the date not the time and day. :) – Joshua C. Tuonan Aug 01 '15 at 01:44