Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Denil
Starting Member
14 Posts |
 Posted - 2006-10-26 : 01:27:35
|
| Hi there..i need help in some sql statement. Let me explain, Now i have create a database have username and credit column, i have create a text box (in vs2005). What i'm going to do now is i want to key in some smallmoney or integer in text box.. and i want to deduct the value from credit column with the value i key in at text box. is something like "credit - textbox.text"I don't know how to write the select,update,insert and delete statement for this. I try to put "-textbox.text " but it give me error... if some part like this "UPDATE UserCredit SET Credit = @Credit - textbox.text WHERE (UserName = @UserName)"hope i get some help from u all..thanks |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2006-10-26 : 01:32:16
|
| strSQL = "UPDATE UserCredit SET Credit = Credit - " & textbox.text & " WHERE UserName = '" & strUserName & "'"cn.execute(strsql,,adexecutenoreturn)Peter LarssonHelsingborg, Sweden |
 |
|
|
Denil
Starting Member
14 Posts |
Posted - 2006-10-26 : 03:23:42
|
peso thanks for your help. I still not sure where to put your statement? when i put it..there is alot of error come out..im using c#. I wonder can i put the code inside the sqldatasource i drag from toolbar there. put inside the "configure data source" there? or can u guide me on putting where? sorry... |
|
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
Posted - 2006-10-27 : 01:02:44
|
| Please don't write code like this. It's a great way to let someone take control of your system through sql injection. If you paste together a sql statement from UI controls you are asking for trouble.You say you are using C#. If you INSIST on ad-hoc queries composed in your client app code, then please follow the pattern here:http://msdn2.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare.aspxThis example demonstrates a safe way to pass parameters to an ad-hoc query created on a client. Basically it's the equivalent of a parameterized call to sp_executesql (that's what SqlClient is doing under the covers).However, the best thing would be to limit access of clients to the db to only sproc calls. In that case your code would be similar to the example above (still add params using the SqlCommand.Parameters collection) but you'd set SqlCommand.CommandType=CommandType.StoredProcedure.Hope this helps!SqlSpec - a fast, cheap, and comprehensive data dictionary generator forSQL Server 2000/2005 and Analysis Server 2005 - http://www.elsasoft.org |
|
|
|
|
|
|
|
|
Help! how to put maths + , - ,*, / in sql statemen