why statement else not working / execute? c#

Question

i have a problem with my code c# where statements **

if (i >0)
{
    MessageBox.Show("data ada");
}

** is not working.. maybe anyone in here can help me please :)

        if (pk_nama.Text == "" || pk_umur.Text == "" || pk_jenkel.Text == "" || pk_level.Text == "" || pk_alamat.Text == "")
        {
            MessageBox.Show("Isi data dulu");
        }
        else
        {
            MySqlConnection conn = konek.sambungkan();
            conn.Open();
            String query = "select * from tb_pekerja where pk_nama =' " + pk_nama.Text + " '";
            MySqlCommand cmde=new MySqlCommand(query, conn);

            dt = new DataTable();
            da = new MySqlDataAdapter(query, conn);
            da.Fill(dt);
            int i = Convert.ToInt32(dt.Rows.Count.ToString());
            if (i >0)
            {
                MessageBox.Show("data ada");
            }
            else
            {
                if (String.IsNullOrWhiteSpace(id_pekerja.Text))
            }
        }

What do you mean by "not working"? Please clarify your question. — Max von Hippel, Jul 21 '18 at 04:55
Did you debug the code? Checked the values of textboxes? What values you are entering in textboxes? — Chetan, Jul 21 '18 at 04:55
This is quite ambiguous , Please be specific which part of the code is not working — Sumit raj, Jul 21 '18 at 04:56
Side note: Showing example of [SQL injections](https://stackoverflow.com/questions/35163361/how-can-i-add-user-supplied-input-to-an-sql-statement) in what supposed to be [MCVE] is bad idea as it may invite downvotes and generally lead to unrelated discussions. — Alexei Levenkov, Jul 21 '18 at 05:00
Tamas has the answer below, and people have highlighted the SQL injection vulnerability, but also note that `MySqlConnection`, `MySqlCommand` and `MySqlDataAdapter` are all `IDisposable` so should each be in a `using` block. And `int i = Convert.ToInt32(dt.Rows.Count.ToString());` takes a perfectly good int, turns it into a string before converting it back again. In the code shown above, `cmde` is unused. — Richardissimo, Jul 21 '18 at 06:05

score 1 · Answer 1 · answered Jul 21 '18 at 05:39

There are multiple problems with this line. Besides the obvious injection vulnerability, it adds spaces to the PK, so you will never get any results.

string query = "select * from tb_pekerja where pk_nama =' " + pk_nama.Text + " '";

should be

// Warning still vulnerable to injections
string query = "select * from tb_pekerja where pk_nama ='" + pk_nama.Text + "'";

Using a prepared statement would solve the injection problem.

score 0 · Answer 2 · answered Jul 21 '18 at 05:29

I have no idea if this will help you but there you go.

MySqlConnection conn = konek.connect();
conn.Open();
string query = "select * from tb_pekerja where pk_nama =' " + pk_nama.Text + " '";

dt = new DataTable();
da = new MySqlDataAdapter(query, conn);
da.Fill(dt, "Pekerja"); // give the table a name

int i = dt.Tables["Pekerja"].Rows.Count;

if (i > 0)
{
    MessageBox.Show("data ada");
} else {
    // your code here...
}

Also listen to @Alexei Levenkov: do not construct SQL queries the way you do or you'll be vulnerable to SQL injection. Look into MySQL parameters.

why statement else not working / execute? c#

2 Answers2