I need to Display the selected values from combobox in textbox. M getting an error conversion from string "ccoursename" to Integer is not valid.

Question

0.00/5 (No votes)

See more:

SQL-Server-2012

VB.NET

Private Sub coursenamecmb_SelectedIndexChanged(sender As System.Object, e As System.EventArgs) Handles coursenamecmb.SelectedIndexChanged
    Dim con As New SqlConnection("Data Source=ASHUTOSH-PC\SQLEXPRESS;Initial Catalog=Art Station Management System;Integrated Security=True")
    Dim dr As SqlDataReader
    Try
        con.Open()
        Dim str As String
        str = "SELECT * from Course where ccoursename = '" & coursenamecmb.Text & "'"
        com = New SqlCommand(str, con)
        dr = com.ExecuteReader
        While dr.Read
            coursenamecmb.Text = dr.GetString("ccoursename")
            crsefees.Text = dr.GetInt32("cfees")
        End While
        con.Close()
    Catch ex As Exception
        MsgBox(ex.Message)
    Finally
        con.Dispose()
    End Try
End Sub

Posted 25-Dec-15 3:58am

Ashutosh Dutondkar

Add a Solution

Comments

Tomas Takac 25-Dec-15 12:18pm

On what line? I see you are converting "cfees" to int but not "ccoursename".

Ashutosh Dutondkar 25-Dec-15 14:06pm

error is on line coursenamecmb.Text = dr.GetString("ccoursename")

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Accepted Answer · 2015-12-25T06:43:00

Solution 1

First, your query uses SELECT *" which is bad practice as a tiny change in the database table can change the order your columns are returned. ALWAYS use "SELECT columnName, columnName, columnName, ..." to return the data in a known column order.

You cannot use column names with SqlDataReader.GetString(), or any of the Get... methods on the DataReader. You can only use integer index values, which you would have seen had you read the documentation on SqlDataReader Class (System.Data.SqlClient)[^]

Also, you opened yourself up to having your database destroyed by SQL Injection attacks. Google for "SQL Injection Attack" and "VB.NET sql parameterized query" to fix that problem.

Posted 25-Dec-15 6:43am

Dave Kreskowiak

Comments

Ashutosh Dutondkar 25-Dec-15 14:14pm

I aslo tried using integer index value but then it gives me some other error like error converting System.String To System.Decimal

Dave Kreskowiak 25-Dec-15 22:36pm

The integer column index is the only way to use GetString. It starts with 0 being the first column, not 1.

Ashutosh Dutondkar 26-Dec-15 2:08am

Private Sub btstfidcmb_SelectedIndexChanged(sender As System.Object, e As System.EventArgs) Handles btstfidcmb.SelectedIndexChanged
Dim con As New SqlConnection("Data Source=ASHUTOSH-PC\SQLEXPRESS;Initial Catalog=Art Station Management System;Integrated Security=True")
Dim com As SqlCommand
Dim dr As SqlDataReader
Try
con.Open()
Dim str As String
str = "select * from StaffRegister where stfstaffid = '" & btstfidcmb.Text & "'"
com = New SqlCommand(str, con)
dr = com.ExecuteReader
While dr.Read 'GETTING ERROR ON THIS LINE'
stfnametxt.Text = dr.GetString(1)
stfmnametxt.Text = dr.GetString(2)
stflnametxt.Text = dr.GetString(3)
End While
con.Close()
Catch ex As SqlException
MessageBox.Show(ex.Message)
End Try
End Sub

Actually, m facing an error on line while dr.Read when i attempt to close the form with the form close icon on the form. The code is working properly but when I close the form it gives me the error "ERROR CONVERTING DATATYPE VARCHAR TO NUMERIC" i tried many things but the error is not getting solved. Can u please help me with this also?

Dave Kreskowiak 26-Dec-15 12:58pm

That line cannot throw the specified exception. It's possible it's something weird where you're closing the form before the DataReader is done getting through the recordset You've got problems with the design of your code because you have nothing Disposing the Connection, Command and Datareader objects so your code is leaking resources. Look into the Using statement to fix this for you.

Seriously, I hope this code never makes it to a production environment because you risk destroying your database with it. You SERIOUSLY need to Google for "SQL Injection Attack" and see what I'm talking about.

Ashutosh Dutondkar 27-Dec-15 4:56am

Dim con As New SqlConnection("Data Source=ASHUTOSH-PC\SQLEXPRESS;Initial Catalog=Art Station Management System;Integrated Security=True")
Dim com As SqlCommand
Dim str As String
Dim i = CInt(stuidcmb.Text)
Dim a = CInt(stuagetxt.Text)
Dim d As Date = DateTime.Parse(studobtxt.Text)
Dim gender As String = String.Empty
If stumalerd.Checked Then
gender = "Male"
ElseIf stufemalerd.Checked Then
gender = "Female"
End If
Try
con.Open()
str = "Insert into StudentRegister values (@sstudentid,@sname,@smiddlename,@ssurname,@sdob,@ccoursename,@btbatchid,@sage,@sgender,@scontact,@saddress,@scity,@sstate,@spincode,@semailid)"
com = New SqlCommand(str, con)
com.Parameters.AddWithValue("@sstudentid", i)
com.Parameters.AddWithValue("@sname", stufnametxt.Text)
com.Parameters.AddWithValue("@smiddlename", stumnametxt.Text)
com.Parameters.AddWithValue("@ssurname", stulnametxt.Text)
com.Parameters.AddWithValue("@sdob", d)
com.Parameters.AddWithValue("@ccoursename", coursenamecmb.Text)
com.Parameters.AddWithValue("@btbatchid", batchidcmb.Text)
com.Parameters.AddWithValue("@sage", a)
com.Parameters.AddWithValue("@sgender", gender)
com.Parameters.AddWithValue("@scontact", stucntcttxt.Text)
com.Parameters.AddWithValue("@saddress", stuaddtxt.Text)
com.Parameters.AddWithValue("@scity", stucitytxt.Text)
com.Parameters.AddWithValue("@sstate", stustatetxt.Text)
com.Parameters.AddWithValue("@spincode", stupintxt.Text)
com.Parameters.AddWithValue("@semailid", stuemailtxt.Text)
com.CommandText = str
com.ExecuteNonQuery()
Catch ex As Exception
End Try
MsgBox("Record Inserted Successfully", MsgBoxStyle.Information)
Display()
clear()
con.Close()

IS THIS CODE OF MINE IS ALSO OPENED FOR SQL INJECTION ATTACKS? PLEASE HELP ME WITH THE SAME HOW TO USE PARAMETRIZED QUERY AND AVOID ATTACKS ON MY DTATBASE.

Dave Kreskowiak 27-Dec-15 10:31am

It's better but your code will still crash if certain textboxes cannot be converted to an Integer.

You keep thinking of things from the standpoint that all user input is what it should be and you're not checking for the existence of values or even if they are correct before you put them in your database.

ALWAYS treat user input as if it were evil and they were actually trying to break every opportunity for input you give them.

Google for "VB.NET TextBox Validation" for more information.

Ashutosh Dutondkar 28-Dec-15 12:55pm

Okay! thank you so much. I'll see forward for it :)

Ashutosh Dutondkar 26-Dec-15 2:03am

Thank you so much Sir! For your help, now the code is working.