1

Here is my button command for save. need help in getting this to work, will be getting this to defend for tomorrow school project. Thanks! Its for Datagridview, access, c#. I use 2010VS and MS Access 2007.

private void save_Click(object sender, EventArgs e)
    {

        if (adminyes.Checked == true || adminno.Checked == true && textBox1.Text != null && textBox2.Text != null && textBox3.Text != null)
        {
            admin = "Yes";

            if (mode == "a")
            {
                x = 0;
                connect.Close();
                connect.ConnectionString = inventorydb;
                connect.Open();
                sqlcommand.CommandText = "SELECT * FROM Users WHERE Username ='" +textBox2.Text+ "' Or User_ID ='" +textBox1.Text+ "' ";
                sqlcommand.Connection = connect;
                OleDbDataReader reader = sqlcommand.ExecuteReader();
                while (reader.Read())
                {
                    x++;
                }

                if (x != 0)
                {
                    MessageBox.Show("", "",MessageBoxButtons.OK);
                }
                else
                {
                    DialogResult res = MessageBox.Show("Are you sure?", "Save User", MessageBoxButtons.YesNo, MessageBoxIcon.Warning);

                    if (DialogResult.Yes == res)
                    {
                        connect.Close();
                        connect.ConnectionString = inventorydb;
                        connect.Open();
                        sqlcommand.CommandText = "INSERT INTO Users (User_ID, Username, Password, Admin) VALUES ('" + textBox1.Text + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + admin + "') ";
                        sqlcommand.Connection = connect;
                        reader = sqlcommand.ExecuteReader();
                        MessageBox.Show("Record(s) Saved", "Sample");
                    }

                    reset();
                }
            }
            else if (mode == "e")
            {
                DialogResult res = MessageBox.Show("Are you sure?", "Update User", MessageBoxButtons.YesNo, MessageBoxIcon.Warning);

                if (DialogResult.Yes == res)
                {
                    connect.Close();
                    connect.ConnectionString = inventorydb;
                    connect.Open();
                    sqlcommand.CommandText = "UPDATE Users SET User_ID = '" + textBox1.Text + "',  Username = '" + textBox2.Text + "', Password = '" + textBox3.Text + "',Admin = '" + admin + "' WHERE SerialID = '" + idholder + "'  ";
                    sqlcommand.Connection = connect;
                    OleDbDataReader reader = sqlcommand.ExecuteReader();
                    reader.Read();
                    MessageBox.Show("Record(s) Updated", "Sample");

                }

                reset();
            }
        }
        else 
        {
            MessageBox.Show("", "", MessageBoxButtons.OK, MessageBoxIcon.Error);
        }
    }
Improve this question

1 Answer 1

Reset to default
1

Password is a reserved word in Access. Change it to [Password] in your SQL queries. You should wrap all columns and tables like this.

Although this is just a school project I'll mention a few things:

Your code is vulnerable to SQL injection. Here's how to fix this for your insert method as an example:

sqlcommand.CommandText = "INSERT INTO [Users] ([User_ID], [Username], [Password], [Admin]) VALUES (@user_id, @username, @password, @admin)";
sqlcommand.Connection = connect;
sqlcommand.Parameters.AddWithValue("@user_id", textBox1.Text);
sqlcommand.Parameters.AddWithValue("@username", textBox2.Text);
sqlcommand.Parameters.AddWithValue("@password", textBox3.Text);
sqlcommand.Parameters.AddWithValue("@admin", admin);
reader = sqlcommand.ExecuteReader();

Also passwords shouldn't be stored in plain text. Look into password hashing and salting and how to approach it properly for more information.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you..!!! It works, i was trying to figure out on how to protect the password. I'm not sure how to but really thanks a lot!
Just a quick question sir, i have a bit of a problem whenever i add/edit/delete items on my data then after i close the program and open it again, all changes i made do not permanently save/reflect on the access database, do you know how to fix it?
Maybe you need to call OleDbCommand.ExecuteNonQuery rather than ExecuteReader. Also if you have a transaction active (i don't see one though) call OleDbTransaction.Commit. If that doesn't work try looking up some sample queries on access databases using OleDb objects and see if there are any differences. I'm not too familiar with Access databases.
If a reserved word is already in use, you can avoid error messages by surrounding each occurrence of the word with brackets ([ ]). However, the best solution is to change the name to a nonreserved word.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.