hi there, i have a payment page which uses javascript to calculate payments and what remains etc. That all works fine, the problem i have is that when you are finished and you go to the next page it should save all of the records to the order table where the order_id = a querystring. Now i have tried using an insert method and an update method, not really sure whats the difference when putting data into an existing record. What happens though is that i can save the contents of labels etc but it wont save the content of dropdown lists (of which there are 2) i just cant work it out, i have posted my code below
string strOrderID =Convert.ToString(Request.QueryString["OrderID"]);
string strDiscountPercent =Convert.ToString(5656);
double dblDiscountMoney =Convert.ToDouble(txtDiscountMoney.Text);string strPaymentMethod1 = ddlPaymentMethod1.SelectedValue;
double dblPaymentAmount1 =Convert.ToDouble(txtPaymentAmount1.Text);string strPaymentRecipt1 = txtPaymentRecipt1.Text;
string strPaymentMethod2 = ddlPaymentMethod2.SelectedValue;double dblPaymentAmount2 =Convert.ToDouble(txtPaymentAmount2.Text);
string strPaymentRecipt2 = txtPaymentRecipt2.Text;string sConnectionStringCustInfo ="my connection string";
SqlConnection objConnOID =new SqlConnection(sConnectionStringCustInfo);
//This is the sql statement.
using (objConnOID){
objConnOID.Open();
string sqlUpDate ="UPDATE tbl_order SET discount_Percent = " + txtDiscountPercent.Text +
", discount_money = " + dblDiscountMoney +
", payment_method1 = " + strPaymentMethod1 + =========== this is the problem line here!", payment_amount1 = " + dblPaymentAmount1 +
", payment_ref1 = " + strPaymentRecipt1 +", payment_amount2 = " + dblPaymentAmount2 +
", payment_ref2 = " + strPaymentRecipt2 +
"WHERE order_ID = " + strOrderID;
SqlCommand objCmd1 =new SqlCommand(sqlUpDate, objConnOID);
try
{
objCmd1.ExecuteNonQuery();
}
and because it throws an error it wont update the database with any other record. does anyone have any ideas, i have spent hours last night trying to figure this one out and im sure its simple! but i need some help!
Cheers
Jez
When concatenating up a sql statement, you would need to wrap your string values with single quotes
sql like this wont work:
column = value
sql like this can work:
column = 'value'
You are however open to injection attacks when you do this and i would recommend you look into using parameterized sql statements instead. When using parameterized statements, you do not need to worry about issues from the single quotes and you are protected from sql injection attacks.
|||
but im not passing a value, its a varaible (string or double) i dont know if that would make a difference?
|||it does make a difference.
when building up a sql statement, you can directly concatenate in your numeric variables as they do not need to be quoted.
when concatenating in the value of a string variable, you need to include the single quotes around the string value to get well formed sql
string sql = "Select * FROM sometable WHERE somecolumn ='" + yourStringVar + "'";
|||
ok thanks, the only thing i dont get is the statement works with labels and textbox values just not dropdownlists
|||the other variables you are using seem to be related to numeric data. if the underlying column type (in your database) for those values is a numeric type (integer, long, double etc..) then you dont need the single quotes. the single quotes are needed for string/text datatypes (char, varchar, text etc...).
No comments:
Post a Comment