Data is not updated into the database?

Question

I wish to insert and update the data from the textbox.

Why my data is not updated into the database? (Microsoft SQL Server Management Studio) Anyone please help me. Appreciate!

    //connection    

    //update 
    If dt.Rows.Count > 0 Then

        If dt.Rows.Count > 0 Then

        sql = "Update adm SET qty = '" & txtqty.Text & "' Where xxx = '" & Trim(Session("xxx")) & "' "
        cmd = New SqlCommand(sql, conn)
        'conn.open()
        cmd.ExecuteNonQuery()

        txtqty.Text = ""

    Else
// do insert    
    crow = ds.tables("adm").newrow()

    crow("xxx") = Session("xxxx")
    crow("xxx") = Session("xxx")
    crow("xxx") = xxxxx
    crow("xxx") = xxxxx
    crow("xxxxx") = xxxxx
    crow("xxxx") = xxxxx
    crow("xxxxx") = xxxxx
    crow("xxxx") = xxxxx
    crow("xxxx") = xxxxx
    crow("qty") = trim(txtqty.text)

    ds.tables("adm").rows.add(crow)

    da.update(ds, "adm")

    lbl.Text = "<strong>Data saved! </font></strong>"

    conn.close()

End If

Here is the connection

    sql = "SELECT * FROM adm  "
    conn = New SqlConnection(ConnStr)
    cmd = New SqlCommand(sql, conn)
    conn.open()
    da = New SqlDataAdapter(cmd)
    cb = New SqlCommandBuilder(da)
    ds = New DataSet
    da.fill(ds, "adm")
    dt = ds.Tables(0)

Answer 1

You should always used parametrized queries to avoid SQL injection vulnerabilities - and it's faster, too!

To use parameters, write your SQL statement like this:

string stmt = "Update adm SET qty = @Qty WHERE ID = @ID"

and then use it like this:

using (SqlCommand cmd = new SqlCommand(stmt, conn))
{        
    cmd.Parameters.Add("@Qty", SqlDbType.Int).Value = 42;
    cmd.Parameters.Add("@ID", SqlDbType.Int).Value = 4711;

    conn.Open();
    cmd.ExecuteNonQuery();
}

More resources on using parametrized queries in ADO.NET:

• Shorten development time by using parameterized queries in ADO.NET
• Creating a Parameterized Query in ADO.NET
• Using Parameterized Query in ASP.NET