-1

I have a small table (tbl_user_favs) that is meant to store user favorites. Column 1 is the user ID, and then every column after that is a slot for a selected favorite PC to be stored, denoted Slot1, Slot2.

enter image description here

                using (SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\UserFavorites.mdf;Initial Catalog=tbl_user_favs;Integrated Security=True;Connect Timeout=30"))
                {
                    string cmdString = ("SELECT * FROM tbl_user_favs WHERE UserID = '" + Globals.emailUID + "'");
                    SqlCommand cmd = new SqlCommand(cmdString, con);

                    cmd.Parameters.Add("@Slot1", SqlDbType.VarChar).Value = PCnum;
                    

                    DataSet loginCredentials = new DataSet();
                    SqlDataAdapter dataAdapter;

                    con.Open();

                    //dataAdapter = new SqlDataAdapter(cmdString, con);
                    dataAdapter = new SqlDataAdapter(cmd);
                    dataAdapter.Fill(loginCredentials);
                    //cmd.ExecuteNonQuery();

                    con.Close();
                }

Code executes, but it does not add the PCnum to the database next to the UserID. It should lok through the rows, find the UserID that matches the logged in user, Globals.emailUId, and add the PCnum to an open slot. Without worrying yet how to dynamically increment the Slots, why isn't this insert adding the PCnum to Slot 1? I've seen some tutorials use ExecuteNonQuery, and some use the dataAdapter, but both have the same result. I suspect there is something off with my SQL? Thank you

ASh
  • 34,632
  • 9
  • 60
  • 82
Alex D
  • 25
  • 6
  • 1
    To start, your `SELECT` statement is a query, not a non-query. Also it is prone to [SQL injection attacks](https://bobby-tables.com/). And the parameter `@Slot1` is not part of the query. And finally, your code has no relation to WPF. – Klaus Gütter Jan 10 '23 at 17:53

1 Answers1

1

There are a couple things going on here.

First is that you are using "Parameters" incorrectly. It's supposed to add data to your query, not data to the database/row/column after a query has been made.

sql parameterized query in C# with string

Second, you are doing a select query, so you are only getting data from the db, not putting data into it.

To do what you want, you'd need to do this instead: (I don't have a good way to test this, so it may need tweaks, but it should be close.)

using (SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\UserFavorites.mdf;Initial Catalog=tbl_user_favs;Integrated Security=True;Connect Timeout=30"))
{
  string cmdString = ("UPDATE tbl_user_favs SET Slot1 = @Slot1 WHERE UserID = @EmailUID");
  SqlCommand cmd = new SqlCommand(cmdString, con);

  cmd.Parameters.AddWithValue("@Slot1", PCnum);
  cmd.Parameters.AddWithValue("@EmailUID", Globals.emailUID);
  con.Open();
  cmd.ExecuteNonQuery();
  con.Close();
}

You no longer need the DataSet or the SqlDataAdapter.

Since you seem to be confused on what parameterization is and why to use it, check out this question, too.

And here's just some more reading on the topic in general. I used these articles as resources for this answer:
https://visualstudiomagazine.com/articles/2017/07/01/parameterized-queries.aspx

https://www.c-sharpcorner.com/UploadFile/a20beb/why-should-always-use-the-parameterized-query-to-avoid-sql-i/

computercarguy
  • 2,173
  • 1
  • 13
  • 27
  • 1
    I really appreciate the answer, this worked without issues. Moreover, it was extremely helpful for me to have concise explanations and resources that touch on related topics. Reading through the links you provided has been immensely helpful in clearing things up instead of trying to piece things together from 3 separate tutorials. Thank you! – Alex D Jan 10 '23 at 19:30