HELP!! - Passing a Form Value into a Paramater

[Adz1809]

HI,

I'm creating an update form for update a records within a db.

The update routine is working if I hard code value into it.

The problem is that the form values are not being passed into the parameters.

Here is the code:

Code:

Sub UpdateRec(Source as Object, E as EventArgs)
 
dim dsn As String = ConfigurationSettings.AppSettings("SystemConnectionNew")
    
dim objConn as  New SqlConnection(dsn)
 
Dim UpdateCommand As SqlCommand = New SqlCommand()
UpdateCommand.Connection = objConn
Dim sql As String
sql = "UPDATE tbl_ACCO_EU_Contacts SET Title=@Title WHERE EndUserID=@EndUserID"
 
UpdateCommand.CommandText = sql
 
UpdateCommand.Parameters.Add(New SqlParameter("@Title", textTitle.Text))
UpdateCommand.Parameters.Add("@EndUserID", SqlDbType.Int).Value = 13
 
Try
objConn.Open()
UpdateCommand.ExecuteNonQuery()
Catch ex As Exception
response.Write(ex.ToString())
Finally
objConn.Close()
End Try
'response.Redirect("record_srch.aspx")
End sub

Here is the form:

Code:

<form runat="server" name="selform">
<ol>
<li >
<label for="textTitle">Title:</label>
<asp:TextBox ID="textTitle" runat="server" />
</li>
<asp:TextBox Visible="false" ID="textEndUserID" runat="server" />
 <li>
<asp:Button ID="btnUpdate" Text="Update Record" Enabled="false" OnClick="UpdateRec" runat="server" /></li>
</ul>
</ol>
</form>

Any help would be great.

Adz

[snomag]

Hi,

At first glance I couldn't really say what causes the problem. The parameter initializing should be ok..

Your Update button is disabled tho, when do you enable it so it can trigger the update? I can't see it in your code..

[Adz1809]

Here is the rest of the code:

Code:

<&#37;@ import namespace="System.Data" %>
<%@ import namespace="System.Data.SqlClient" %>
<Script Language="VB" Runat="Server">

dim objCmd As SqlCommand
dim objRdr As SqlDataReader
dim strCmd As String


Sub Page_Load(Source as Object, E as EventArgs)

	CheckActive()
	LogActivity()
	
	sysMenu = true
	
	BindData()
	
end sub

Sub BindData()

	dim dsn As String = ConfigurationSettings.AppSettings("SystemConnectionNew")
	
	dim objConn as  New SqlConnection(dsn)
	    
    strCmd = "SELECT * FROM tbl_ACCO_EU_Contacts WHERE EndUserID=" & Request.QueryString("id")
	
	Dim objCmd As New SqlCommand(strCmd, objConn)
	
	objConn.open()
    
    objRdr = objCmd.ExecuteReader()
	
	While objRdr.Read()
	
	If not isDbNull(objRdr.Item("Title")) Then
    textTitle.Text = objRdr.Item("Title")
	End If
	
	If not isDbNull(objRdr.Item("EndUserID")) Then
    textEndUserID.Text = objRdr.Item("EndUserID")
	End If
	
	End While
 
    objRdr.Close()
	
	objConn.Close()
	
	btnUpdate.Enabled = True
	
End Sub

[snomag]

I see.

You might face this problem becouse you re-bind the data on every Page_Load.
When you click the button, the page_load will run first (and set back the old values) and the update will run later so you'll find the old values in the fields again...
So if you're not getting an exception and the update executes without any problem, than this might be your problem. I'd recommend you to learn a bit about a Page's life cycle.

[snomag]

Ah also, I forgot to mention a few more things:
First of all, DON'T build SQL queries like this:
strCmd = "SELECT * FROM tbl_ACCO_EU_Contacts WHERE EndUserID=" & Request.QueryString("id")
It's a huge security hole in your application. Read about SQL injection attacks so, it's a well covered topic these days, so you won't have any problem finding materials.

I'd also consider using built in controls and try to avoid manual databinding unless it's really needed.

[Adz1809]

Cheers ever so much for that, I've added:

If not Page.IsPostback then

BindData()

End If

And this has sorted out the issues.

I'll look into SQL injection attacks to see what I can do.