Click here to Skip to main content
15,912,756 members
Search within:


Return comand...when is reader not read value
Please Sign up or sign in to vote.
1.50/5 (2 votes)
See more:
C#
If reader read is ok, else 


{
                               notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FD7400");
                               messageLabel.Text = "Radnik ne postoji u bazi! \nProverite vašu karticu ili probajte ponovo!";
                               textBox1.Text = "";
                               readerresultTextbox.Clear();


Line going to insert comand and do it...I want to return on start if reader not read
I need recommendations?

What I have tried:

private void prijavaAction()  //novija doradjena....04.04.2018
       {

           {
               SqlConnection con = new SqlConnection(cs);

               if (textBox1.Text.All(char.IsDigit))

               {
                   string queryString = "SELECT [ime_prezime] FROM dbo.radnici WHERE bar_kod = '" + textBox1.Text + "'";// pronaci radnika u bazi
                   using (SqlConnection connection = new SqlConnection(cs))
                   {
                       SqlCommand command = new SqlCommand(queryString, connection);
                       connection.Open();
                       SqlDataReader reader = command.ExecuteReader();
                       try
                       {
                           if (reader.Read())  //radi
                                               //while (reader.Read())  //radi
                           {
                               notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#2EFF36");
                               messageLabel.Text = (reader["ime_prezime"].ToString()) + " je prijavljen u \n " + DateTime.Now.ToString("dd.MM.yyyy HH:mm:ss");
                               readerresultTextbox.Text = (reader["ime_prezime"].ToString());
                           }
                           else
                           {
                               notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FD7400");
                               messageLabel.Text = "Radnik ne postoji u bazi! \nProverite vašu karticu ili probajte ponovo!";
                               textBox1.Text = "";
                               readerresultTextbox.Clear();

                           }
                       }
                       finally
                       {
                           string prijava = "SELECT count(*) from dbo.prijava_radnika where vrijemeprijave is not null and vrijemeodjave is null and radnik = '" + readerresultTextbox.Text + "' and redni_broj is NULL";
                           SqlCommand provjeraprijaveradnika = new SqlCommand(prijava, con);
                           con.Open();
                           int result = Convert.ToInt32(provjeraprijaveradnika.ExecuteScalar());
                           //con.Open();
                           con.Close();
                           if ((result == 0)) //radi
                                              //if ((prijava !))
                           {
                               String saveStaff = "INSERT INTO dbo.prijava_radnika (vrijemeprijave, status, radnik,idfakture) VALUES(@vrijemeprijave,'prijavljen', '" + readerresultTextbox.Text + "',@idfakture)";
                               using (SqlConnection openCon2 = new SqlConnection(cs))
                               {
                                   using (SqlCommand querySaveStaff = new SqlCommand(saveStaff))
                                   {
                                       querySaveStaff.Connection = openCon2;
                                       querySaveStaff.Parameters.Add("@vrijemeprijave", SqlDbType.DateTime).Value = DateTime.Now;
                                       querySaveStaff.Parameters.Add("@idfakture", SqlDbType.Int).Value = id_fakture;
                                       openCon2.Open();
                                       querySaveStaff.ExecuteNonQuery();
                                       openCon2.Close();

                                       //notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FFE11A");
                                       // messageLabel.Text = (reader["ime_prezime"].ToString()) + " je prijavljen u \n " + DateTime.Now.ToString("dd.MM.yyyy HH:mm:ss");
                                   }
                               }
                           }
                           else
                           {

                               String updateStaff = " declare @maxNo integer = 0 select @maxNo = isnull(max(redni_broj), 0) from[dbo].[prijava_radnika] UPDATE[dbo].[prijava_radnika] SET"
                                   + " [vrijemeodjave] = @vrijemeodjave,[redni_broj] = (@maxNo+1),[status] = 'odjavljen' WHERE radnik = '" + readerresultTextbox.Text + "'and[status] = 'prijavljen'";



                               //string queryString = "SELECT [ime_prezime] FROM dbo.radnici WHERE bar_kod = '" + textBox1.Text + "'";// pronaci radnika u bazi
                               using (SqlConnection connection1 = new SqlConnection(cs))
                               {
                                   SqlCommand command1 = new SqlCommand(queryString, connection1);
                                   connection1.Open();
                                   SqlDataReader reader1 = command1.ExecuteReader();
                                   connection.Close();
                                   try
                                   {
                                       if (reader1.Read())
                                       {


                                           using (SqlConnection openCon3 = new SqlConnection(cs))
                                           {
                                               using (SqlCommand queryupdateStaff = new SqlCommand(updateStaff))
                                               {
                                                   queryupdateStaff.Connection = openCon3;
                                                   queryupdateStaff.Parameters.Add("@vrijemeodjave", SqlDbType.DateTime).Value = DateTime.Now;
                                                   openCon3.Open();
                                                   queryupdateStaff.ExecuteNonQuery();
                                                   openCon3.Close();

                                               }
                                           }

                                           notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FFE11A");
                                           messageLabel.Text = (reader1["ime_prezime"].ToString()) + " je odjavljen u \n " + DateTime.Now.ToString("dd.MM.yyyy HH:mm:ss");
                                       }
                                   }
                                   catch { }


                               }
                               // Always call Close when done reading.

                               reader.Close();
                           }
                       }
                   }
               }
               else
               {
                   notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FD7400");
                   messageLabel.Text = "Bar kod nije važeci ili nije bar kod";
                   textBox1.Text = "";
               }
           }
       }
Posted
Updated 4-Apr-18 0:37am
Add a Solution

3 solutions

The INSERT is inside a finally block, which means that no matter what happens that causes an exit from the try, that code is executed.

The finally block is meant for cleaning up after an operation is completed, regardless of its success or failure - it isn't there as a form of flow control to make sure you always try and insert something!

There are two things you need to look at here:
1) Your flow control: chances are that most of the code in your finally block belongs in the body of the try, with a return being used when the reader is empty.
2) Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
 
Share this answer
 
Posted
Thanks for advice, some solution?
 
Share this answer
 
Posted
Comments
Richard Deeming 4-Apr-18 12:21pm    
To reply to a solution, click the "Have a Question or Comment?" button under that solution.

DO NOT post your reply as a new "solution".
But readerresulttextbox late with value...if put couple wrong codes, insert into work first row with empty value from readerresulttextbox

private void prijavaAction()  //04.04. final doradjena
       {

           {
               SqlConnection con = new SqlConnection(cs);

               if (textBox1.Text.All(char.IsDigit))

               {
                   string queryString = "SELECT [ime_prezime] FROM dbo.radnici WHERE bar_kod = '" + textBox1.Text + "'";// pronaci radnika u bazi
                   using (SqlConnection connection = new SqlConnection(cs))
                   {
                       SqlCommand command = new SqlCommand(queryString, connection);
                       connection.Open();
                       SqlDataReader reader = command.ExecuteReader();
                       try
                       {
                           if (reader.Read())  //radi
                                               //while (reader.Read())  //radi
                           {
                               string prijava = "SELECT count(*) from dbo.prijava_radnika where vrijemeprijave is not null and vrijemeodjave is null and radnik = '" + readerresultTextbox.Text + "' and redni_broj is NULL";
                               SqlCommand provjeraprijaveradnika = new SqlCommand(prijava, con);
                               con.Open();
                               int result = Convert.ToInt32(provjeraprijaveradnika.ExecuteScalar());
                               //con.Open();
                               con.Close();
                               if ((result == 0)) //radi
                                                  //if ((prijava !))
                               {
                                   String saveStaff = "INSERT INTO dbo.prijava_radnika (vrijemeprijave, status, radnik,idfakture) VALUES(@vrijemeprijave,'prijavljen', '" + readerresultTextbox.Text + "',@idfakture)";
                                   using (SqlConnection openCon2 = new SqlConnection(cs))
                                   {
                                       using (SqlCommand querySaveStaff = new SqlCommand(saveStaff))
                                       {
                                           querySaveStaff.Connection = openCon2;
                                           querySaveStaff.Parameters.Add("@vrijemeprijave", SqlDbType.DateTime).Value = DateTime.Now;
                                           querySaveStaff.Parameters.Add("@idfakture", SqlDbType.Int).Value = id_fakture;
                                           openCon2.Open();
                                           querySaveStaff.ExecuteNonQuery();
                                           openCon2.Close();

                                           notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#2EFF36");
                                           messageLabel.Text = (reader["ime_prezime"].ToString()) + " je prijavljen u \n " + DateTime.Now.ToString("dd.MM.yyyy HH:mm:ss");
                                           readerresultTextbox.Text = (reader["ime_prezime"].ToString());
                                       }
                                   }
                               }
                               else
                               {

                                   String updateStaff = " declare @maxNo integer = 0 select @maxNo = isnull(max(redni_broj), 0) from[dbo].[prijava_radnika] UPDATE[dbo].[prijava_radnika] SET"
                                       + " [vrijemeodjave] = @vrijemeodjave,[redni_broj] = (@maxNo+1),[status] = 'odjavljen' WHERE radnik = '" + readerresultTextbox.Text + "'and [status] = 'prijavljen'";



                                   //string queryString = "SELECT [ime_prezime] FROM dbo.radnici WHERE bar_kod = '" + textBox1.Text + "'";// pronaci radnika u bazi
                                   using (SqlConnection connection1 = new SqlConnection(cs))
                                   {
                                       SqlCommand command1 = new SqlCommand(queryString, connection1);
                                       connection1.Open();
                                       SqlDataReader reader1 = command1.ExecuteReader();
                                       connection.Close();
                                       try
                                       {
                                           if (reader1.Read())
                                           {


                                               using (SqlConnection openCon3 = new SqlConnection(cs))
                                               {
                                                   using (SqlCommand queryupdateStaff = new SqlCommand(updateStaff))
                                                   {
                                                       queryupdateStaff.Connection = openCon3;
                                                       queryupdateStaff.Parameters.Add("@vrijemeodjave", SqlDbType.DateTime).Value = DateTime.Now;
                                                       openCon3.Open();
                                                       queryupdateStaff.ExecuteNonQuery();
                                                       openCon3.Close();

                                                   }
                                               }

                                               notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FFE11A");
                                               messageLabel.Text = (reader1["ime_prezime"].ToString()) + " je odjavljen u \n " + DateTime.Now.ToString("dd.MM.yyyy HH:mm:ss");
                                           }
                                       }
                                       catch { }


                                   }

                               }

                           }
                           else
                           {
                               notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FD7400");
                               messageLabel.Text = "Radnik ne postoji u bazi! \nProverite vašu karticu ili probajte ponovo!";
                               textBox1.Text = "";


                           }
                       }
                       finally
                       {

                       }
                   }

               }
               else
               {
                   notificationPanel.BackColor = System.Drawing.ColorTranslator.FromHtml("#FD7400");
                   messageLabel.Text = "Bar kod nije važeci ili nije bar kod";
                   textBox1.Text = "";
               }



           }


       }
 
Share this answer
 
Posted
Comments
Richard Deeming 4-Apr-18 12:22pm    
As above, this is not a solution.

And you clearly haven't read Griff's suggestions, as your code is STILL vulnerable to SQL Injection[^].
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 4 Apr 2018
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-05-30:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900