Hello guys. I am learning C# and I have been unable to get the delete function to work in my code. What could I be doing wrong?

Question

1.00/5 (2 votes)

See more:

Hello guys. I am learning C# and I have been unable to get the delete function to work in my code. What could I be doing wrong?

What I have tried:

C#

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace Point_of_sale
{
    public partial class manageUsers : Form
    {
        public manageUsers()
        {
            InitializeComponent();
        }
        SqlConnection Conn = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\GARNET6\Documents\inventorydb.mdf;Integrated Security=True;Connect Timeout=30");
     
        private void label1_Click(object sender, EventArgs e)
        {
            Application.Exit();

        }
        void populate()
        {
            try
            {
               Conn.Open();
                string Myquerry = "select * from UserTb1";
                SqlDataAdapter da = new SqlDataAdapter(Myquerry, Conn);
                SqlCommandBuilder builder =  new SqlCommandBuilder(da);
                var ds = new DataSet();
                da.Fill(ds);
                UsersGV.DataSource = ds.Tables[0];
                Conn.Close();
                

            }
            catch
            {

            }
        }

        private void textBox1_TextChanged(object sender, EventArgs e)
        {

        }

        private void button1_Click(object sender, EventArgs e)
        {
           
            try
            {
                Conn.Open();
                SqlCommand cmd = new SqlCommand("insert into UserTb1 values('" + UnameTb.Text + "', '" + FnameTb.Text + "', '" + PasswordTb.Text + "', '" + PhoneTb.Text + "')", Conn);
                cmd.ExecuteNonQuery();
                MessageBox.Show("User sucessfully added");
                Conn.Close();
                populate();


            }

            catch
            {

            }
        }

        private void label2_Click(object sender, EventArgs e)
        {

        }

        private void label5_Click(object sender, EventArgs e)
        {

        }

        private void richTextBox2_TextChanged(object sender, EventArgs e)
        {
          
        }

        private void dataGridView1_CellContentClick(object sender, DataGridViewCellEventArgs e)
        {
            UnameTb.Text = UsersGV.SelectedRows[0].Cells[0].Value.ToString();
            FnameTb.Text = UsersGV.SelectedRows[0].Cells[1].Value.ToString();
            PasswordTb.Text = UsersGV.SelectedRows[0].Cells[2].Value.ToString();
            PhoneTb.Text = UsersGV.SelectedRows[0].Cells[3].Value.ToString();


        }

        private void label6_Click(object sender, EventArgs e)
        {
            Application.Exit();
        }

        private void ManageUsers_Load(object sender, EventArgs e)
        {
            populate();
        }

        private void button3_Click(object sender, EventArgs e)
        {
            if (PhoneTb.Text == "")
            {
                MessageBox.Show("Proceed to delete?");

            }
            else
            {
                Conn.Open();
                string myquery = "delete from UserTb1 where Upassword '"+PhoneTb.Text+"'";
                SqlCommand cmd = new SqlCommand(myquery, Conn);
                cmd.ExecuteNonQuery();
                MessageBox.Show("User successfully deleted");
                Conn.Close();
                populate();
            }
        }


    }
}

Posted 12-Jan-22 22:47pm

bravian

Updated 13-Jan-22 8:07am

CHill60

v2

Add a Solution

Comments

CHill60 13-Jan-22 4:50am

First you need to tell us what is actually happening. Do you get an error message?
Next you need to use parameterised queries - your code is vulnerable to SQL Injection attack because of this line

string myquery = "delete from UserTb1 where Upassword '"+PhoneTb.Text+"'";

bravian 13-Jan-22 4:57am

hi. I get a System.NotImplementedException error

CHill60 13-Jan-22 5:26am

On which line??

bravian 13-Jan-22 5:33am

this line in the manageUser.Design.cs file

this.UsersGV.CellContentClick += new System.Windows.Forms.DataGridViewCellEventHandler(this.dataGridView1_CellContentClick);

CHill60 13-Jan-22 9:27am

That line isn't in the code you shared. So this is nothing to do with your delete function in button3_Click!

CHill60 13-Jan-22 5:31am

By the way - another problem you have is all those empty catch clauses - either get rid of the Try-Catch altogether so you can at least see the errors, or handle the errors properly (e.g. log them or report them in a message box). Never have empty catch clauses. Ever.

bravian 13-Jan-22 5:42am

thank you

Richard Deeming 13-Jan-22 6:55am

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 13-Jan-22 6:56am

You're also storing passwords in plain text. Don't do that!

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

2 solutions

Solution 2

You've already gotten the solution, so I will just add that I encourage you to use Visual Studio's Data Designer to create your queries. The basic insert, update, and delete queries are automatically (and correctly) created for you. You then use a dataset as your in-memory database, table adapters to load the dataset from the database, and binding sources to connect your forms to your database (via the dataset).

Microsoft's ADO is a little like "The toe bone's connected to the foot bone, The foot bone's connected to the ankle bone, The ankle bone's connected to the leg bone," but it works really well once you get the hang of it.

As for the injection attacks, here's what they mean. If instead of their name, someone typed into the text box "; DROP TABLE Users;" that would delete your Users table (assuming you had such a table). Using table adapters will get around this, but you're just learning, so I wouldn't worry about it too much right now. Just keep it in mind.

Posted 13-Jan-22 8:07am

RobertSF

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

_Asif_ · Accepted Answer · 2022-01-13T03:35:00

You need to change this line

string myquery = "delete from UserTb1 where Upassword '"+PhoneTb.Text+"'";

To

string myquery = "delete from UserTb1 where UName = '"+UnameTb.Text + "'";

Your Query is vulnerable to SQL Injection Attack, please see OWASP Top Ten vulnerabilities for a detailed overview of security vulnerabilities.

You also need to know that we have assumed that UName is the User Name column in your UserTB1 table. If this name is incorrect please change UName to the Field name that corresponds to the User Name field.