ansaurus

Question

What is wrong with this simple update query?

Answer 1

+2 A:

For one thing, it's wildly susceptible to injection attack.

On a more day-to-day level, any input containing a single apostrophe character is going to break the syntax. Does any of your data happen to have an apostrophe in it?

EDIT - 2nd idea As you're just learning, be aware that you MUST call conn.Close(); to close the connection to the database once you're done with it, otherwise the connection will remain open on the database server until garbage collection gets round to disposing your conn instance. Alternatively, see the using () {} construct.

Slightly grasping at straws here, but try an explicit transaction.

SqlTransaction trans;
conn.Open(); 
try 
{
    trans = conn.BeginTransaction();
    int rows = cmd.ExecuteNonQuery(); 
    trans.Commit();
}
catch 
{
     trans.Rollback();
}
conn.Close();

Neil Moss 2010-05-09 20:58:59

No apostrophes. There is a forward slash character. I understand this is a sql injection attack waiting to happen, I'm just keeping things simple while I learn to work with c#.

Kyle Noland 2010-05-09 21:02:33

@Kyle - I cannot in any sense see how munging strings to create a query is simpler than using a parameterized query. In any sense. At any time. Even on sunday. And it is Sunday. ;-) That rationale is just you shortchanging yourself. Good luck.

Sky Sanders 2010-05-09 21:17:52

Well for one thing, I'm unfamiliar with how to properly use parameters. I'm just getting started with C# after coming from a PHP background. Besides the fact that I am aware this is a HORRIBLE idea for real world code, it was not my question anyway. I'm trying to figure out why this query isn't updating my row. Writing the most secure, elegant code on a throw away project while I'm just trying to learn basics is not the point today. Even on a Sunday :)

Kyle Noland 2010-05-09 21:33:46

Answer 2

+9 A:

You should use a parameterized query for several reasons:

eliminate the possibility of an embedded apos breaking your query
protecting your database/website from sql injection

Also, if the cmd returns 1 then the row was updated. You may need to examine your expectations...

String query = @"
    UPDATE contacts 
    SET contact_name = @contact_name, contact_phone = @contact_phone, contact_fax = @contact_fax, 
        contact_direct = @contact_direct , company_id = @company_id, contact_address1 = @contact_address1, 
        contact_address2 =@contact_address2, contact_city = @contact_city , contact_state = @contact_state,  
        contact_zip = @contact_zip 
    WHERE contact_id = @contact_id";

String cs = Lib.GetConnectionString(null);
using (SqlConnection conn = new SqlConnection(cs))
{
    using (SqlCommand cmd = conn.CreateCommand())
    {
        cmd.Parameters.AddWithValue("@contact_name", ContactName.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_phone", Phone.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_fax", Fax.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_direct", Direct.Text.Trim());
        cmd.Parameters.AddWithValue("@company_id", Company.SelectedValue);
        cmd.Parameters.AddWithValue("@contact_address1", Address1.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_address2", Address2.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_city", City.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_state", State.SelectedValue);
        cmd.Parameters.AddWithValue("@contact_zip", Zip.Text.Trim());
        cmd.Parameters.AddWithValue("@contact_id", contact_id);
        cmd.CommandText = query;
        cmd.Connection.Open();
        int rows = cmd.ExecuteNonQuery();
    }
}

Now, doesn't that look much cleaner? And when you understand why, it will give you a warm fuzzy feeling and let you sleep well at night. ;-)

Clarification:

Your stated question was "What is wrong with this query". The answer is nothing. Nothing is wrong with the query.

The problem is with your page code, which you did not post even after 5 people suggested that there is nothing wrong with the query.

What I meant by 'You may need to examine your expectations...' and 'you need to examine the data going into the parameters BEFORE executing the query to ensure they are what you want' is more clearly described by John, but let me briefly point it out again:

The query as shown is ostensibly correct and should perform as expected. What you are likely experiencing is a flaw in the logic of the surrounding code.

Most likely you are databinding in page_load without an IsPostback guard thus overwriting your input values with the original data.

You need to load and bind your controls/page once only upon the first load. Thereafter the state of the controls are persisted in viewstate, which is stored in a hidden field in the html. If you simply bind to the data source on each page load you will overwrite any input

So lets examine how this works.

Here is a proper logical flow

protected void Page_Load(object sender, EventArgs e)
{
    System.Diagnostics.Trace.WriteLine("Page_Load");
    if (!IsPostBack)
    {
        System.Diagnostics.Trace.WriteLine("\tBind TextBox1");
        TextBox1.Text = "Initial Value";
    }
    System.Diagnostics.Trace.WriteLine("\tTextBox1.Text = " + TextBox1.Text);
}

protected void Button1_Click(object sender, EventArgs e)
{
    System.Diagnostics.Trace.WriteLine("Button1_Click");
    System.Diagnostics.Trace.WriteLine("\tTextBox1.Text = " + TextBox1.Text);
}

If you load this page, enter 'New Value' into the textbox and click button one, this is what Trace shows:

    Page_Load
        Bind TextBox1
        TextBox1.Text = Initial Value

    Page_Load
        TextBox1.Text = New Value

    Button1_Click
        TextBox1.Text = New Value

But without the guard:

protected void Page_Load(object sender, EventArgs e)
{
    System.Diagnostics.Trace.WriteLine("Page_Load");
    System.Diagnostics.Trace.WriteLine("\tBind TextBox1");
    TextBox1.Text = "Initial Value";
    System.Diagnostics.Trace.WriteLine("\tTextBox1.Text = " + TextBox1.Text);
}

        protected void Button1_Click(object sender, EventArgs e)
{
    System.Diagnostics.Trace.WriteLine("Button1_Click");
    System.Diagnostics.Trace.WriteLine("\tTextBox1.Text = " + TextBox1.Text);
}

You get the results that you are likely experiencing...

    Page_Load
        Bind TextBox1
        TextBox1.Text = Initial Value

    Page_Load
        Bind TextBox1
        TextBox1.Text = Initial Value

    Button1_Click
        TextBox1.Text = Initial Value

But again, a practical debugging technique that would help you is to break in the update method just before the query is executed and examine the values to verify that they are what you think they are and then go from there.

Sky Sanders 2010-05-09 21:09:43

+1 - knew someone else would do it so I held back... I would also add in some `using` statements on the `SqlConnection` and `SqlCommand` for good measure.

John Rasch 2010-05-09 21:16:45

@John - sho nuff.

Sky Sanders 2010-05-09 21:19:50

Using your query, same results. This was nearly identical to my original method, but I removed the parameters to get as simple as possible while troubleshooting. int rows = 1 after the query. Inspecting the row in SSMS shows no data is changed.

Kyle Noland 2010-05-09 21:23:36

@kyle - You did re-run the query in SSMS to refresh the data you're inspecting, after running your program, didn't you?

Neil Moss 2010-05-09 21:25:45

@Kyle - there is something hinky going on. Either you are in the middle of a transaction that later does not get committed or you need to examine the data going into the parameters **BEFORE** executing the query to ensure they are what you want. If the command executes with no errors and you get a 1 back then the row **was** updated.

Sky Sanders 2010-05-09 21:26:34

Yes, I reran the query in SSMS to get fresh data. I don't have any transaction code at all. This is just a simple page with a form on it to update contact information. I'm completely in control of the data going in, there is nothing strange about it.

Kyle Noland 2010-05-09 21:29:48

@Kyle - well.... i got nuthin else. After 10 years, this pattern is burned into my brain. I can confidently count on code like that above posted to do it's job without any doubt. Not sure what your damage is. Good luck.

Sky Sanders 2010-05-09 21:35:19

Answer 3

+3 A:

If it's still not working, here's some debugging questions:

Where is this code located and at which part of the page lifecycle is it being called?
What is Lib.GetConnectionString(null) returning?
Have you set any breakpoints before the update query to ensure the correct data is there?

My best guess is that since you are updating an existing record, it's very likely that your postback values are being overwritten on Page_Load by existing data in the database, which would mean the query is in fact updating, but it's updating with the same exact data that's already in there.

What you'll want to do is check if(!IsPostBack)... before you populate any of your textboxes on the page. This way, if there is a postback, then the data in the textboxes will populate with the postback values instead of values from your database.

John Rasch 2010-05-09 22:34:16

+ that is what I was getting at when I suggested that OP check the values going into the db but did not want to add to the confusion. After reading your response I realize that I was probably just being lazy.

Sky Sanders 2010-05-09 23:45:51

@code poet - on a Sunday afternoon, there's no such thing!

John Rasch 2010-05-10 00:06:53

Answer 4

+1 A:

Looking at the other discussion in this question, it seems like your query works but something unrelated is wrong here. Some things to check that bite me in the ass sometimes:

Are you really sure you're running the query you think you are? Break into the debugger before you hit cmd.ExecuteNonQuery(). Are the parameters what you think they are? Is the command text still what you think it should be?
Are you updating the right database? Break into the debugger and check your connection string (cs). Perhaps you're still connected to a production database when you want a development one, or vice versa?
What happens if you run the query manually in SQL Management Studio? Did the row update to what you think it should?

Stephen Jennings 2010-05-09 22:48:06

+1 for "Are you really sure...". I added an answer that shows you how to check without using the debugger. Either would work but I just wanted to provide an additional option.

Chris 2010-05-10 00:03:49

Answer 5

A:

If contact_id is an integer, try not putting it in single quotes.

Change:

"WHERE contact_id = '" + contact_id + "'";

to

"WHERE contact_id = " + contact_id;

Update: As John pointed out in a comment, there is no significant difference in these two clauses. It's probably faster to query without the quotes because you're skipping a cast/convert in that case, though.

Chris 2010-05-09 23:56:34

Note that code poet's solution is better, and makes my suggestion totally moot. But if you wanted to try this quickly with your current code, my suggestion serves that purpose.

Chris 2010-05-09 23:57:36

@Chris - this was the first thing I thought to be the problem as well, then I ran a quick query on an `INT` column using the single quotes and I was surprised to see it still worked

John Rasch 2010-05-10 00:09:15

@John Rasch - Far out... I guess this makes sense, because I hand-query with dates in single quotes all the time. It just converts/casts the string into a DateTime. I guess this is really no different.

Chris 2010-05-10 01:01:41

Answer 6

+2 A:

Another thing you can try for quick troubleshooting purposes is to use the SQL Server profiler. It's easier to use than you think. I promise!

Run the Sql Server Profiler (comes with Sql server)
Click File -> New Trace
Connect to your DB
Accept the default trace properties.
Boom! It's recording!
Run your app. If you're already on the page that does the update, refresh it, or hit the button or whatever that causes the update.
Examine the records that appear in the trace. It's all real-time!
Optional: Click the erase button and try again. You will be able to see the exact SQL that is executing in the profiler.
When you're done, hit the stop button.

Chris 2010-05-10 00:02:16

ansaurus

tags:

views:

answers:

What is wrong with this simple update query?

related questions