Click here to Skip to main content
15,886,137 members
Search within:


Executenonquery: commandtext property has not been initialized'
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
errors
execution
hi! im having a problem with my project, it was working in the morning and then now (evening) its not and i dont where the problem is. here are my codes and i hope you guys could help me with this. the problem says "
System.InvalidOperationException: 'ExecuteNonQuery: CommandText property has not been initialized'


private void submitBtn_Click(object sender, EventArgs e)
        {
            con.Open();

            string a = "Accept";
            string b = "Reject";
            string queryUpdate1 = "";
            string queryUpdate2 = "";

            if (accptBtn.Checked)
            {
                if(type_rdonly.Text == "SL")
                {
                    if (ifEmployeeExist(con, emptime_rdonly.Text))
                    {
                        queryUpdate1 = @"UPDATE [LEAVE_EMP] SET EMP_STATUS ='" + a + "'WHERE [EMP_TIME] ='" + emptime_rdonly.Text + "'";
                    }
                        queryUpdate2 = string.Format("UPDATE LEAVE_ADMIN SET L_SPENT_SL = (L_SPENT_SL + 1), L_REM_SL = (L_REM_SL - 1)");
                }
                if (type_rdonly.Text == "VL")
                {
                    if (ifEmployeeExist(con, emptime_rdonly.Text))
                    {
                        queryUpdate1 = @"UPDATE [LEAVE_EMP] SET EMP_STATUS ='" + a + "'WHERE [EMP_TIME] ='" + emptime_rdonly.Text + "'";
                    }
                    queryUpdate2 = string.Format("UPDATE LEAVE_ADMIN SET L_SPENT_VL = (L_SPENT_VL + 1),L_REM_VL = (L_REM_VL - 1)");
                }
                SqlCommand cmd1 = new SqlCommand(queryUpdate1, con);
                SqlCommand cmd2 = new SqlCommand(queryUpdate2, con);
                cmd1.ExecuteNonQuery();
                cmd2.ExecuteNonQuery();


What I have tried:

i checked my other back up and its the same.
Posted
Updated 22-Jan-19 4:47am
Add a Solution
Comments
F-ES Sitecore 22-Jan-19 10:22am    
Use the debugger to step through the code to see why your command text isn't being set. It's likely to be something to do with your inputs not being what you expect, but we don't know what those inputs are.
Pauline Agawin 22-Jan-19 10:30am    
hi! can we talk through email so i can show you my inputs? the error says

cmd 1 = system.data.sqlclient.sqlcommand
cmd 2 = system.data.sqlclient.sqlcommand
con = system.data.sqlclient.sqlcommand
queryUpdate2 = "UPDATE [LEAVE_ADMIN] SET L_SPENT_SL = (L_SPENT_SL + 1), L_REM_SL = (L_REM_SL - 1)"


2 solutions

There is a path through your code such that either or both of queryUpdate1and queryUpdate2 can still be the empty string after the if conditions: Specifically if typerdonly.Text is not "SL" or "VL", or if one of the inner if conditions fails.

You will need to either use the debugger to find out exactly what is happening, or add logging code to record exactly what is happened for analysis after the problem occurs.

You can then look back in your code to find out why values are not as you expect.

Sorry, but we can't do any of that for you!

Oh, and do yourself a favour: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
 
Share this answer
 
Posted
Updated 22-Jan-19 4:28am
v2
Comments
Pauline Agawin 22-Jan-19 10:59am    
hi! thank you for reply. im new to sql and our professor didnt teach us about stored procedure but i will try your suggestion! thank you!
First things first... Your code is vulnerable to SQL Injection attacks. This is because you are concantenating constant strings and end-user inputs. This has been a known vulnerability for over 20 years and is still in the top 10 active website hack methods still.
The way to fix this is going to use Parameters for the queries. Besides eliminating the vulnerability, this will also auto-type the parameters based on the variable type assigned- if you give it text it will take care of the single quotes, or other identifiers as needed by data type or connected database type. The downside is that if you have a number going in you need to make sure it is of the proper type, so if it is coming from a text box make sure it is conveted to the appropriate type.
Only a few lines need to be changed in your current code
C#
if(type_rdonly.Text == "SL")
{
  if (ifEmployeeExist(con, emptime_rdonly.Text))
  {
    // queryUpdate1 = @"UPDATE [LEAVE_EMP] SET EMP_STATUS ='" + a + "'WHERE [EMP_TIME] ='" + emptime_rdonly.Text + "'";
    queryUpdate1 = @"UPDATE [LEAVE_EMP] SET EMP_STATUS = @EmpStatus WHERE [EMP_TIME] = @EmpTime";
  }
  queryUpdate2 = "UPDATE LEAVE_ADMIN SET L_SPENT_SL = (L_SPENT_SL + 1), L_REM_SL = (L_REM_SL - 1)";
}
if (type_rdonly.Text == "VL")
{
   if (ifEmployeeExist(con, emptime_rdonly.Text))
   {
     // queryUpdate1 = @"UPDATE [LEAVE_EMP] SET EMP_STATUS ='" + a + "'WHERE [EMP_TIME] ='" + emptime_rdonly.Text + "'";
     queryUpdate1 = @"UPDATE [LEAVE_EMP] SET EMP_STATUS = @EmpStatus WHERE [EMP_TIME] = @EmpTime ";
   }
   queryUpdate2 = "UPDATE LEAVE_ADMIN SET L_SPENT_VL = (L_SPENT_VL + 1),L_REM_VL = (L_REM_VL - 1)";
}

SqlCommand cmd1 = new SqlCommand(queryUpdate1, con);
// new lines for parameters
cmd1.Parameters.AddWithValue("@EmpStatus", 1);
cmd1.Parameters.AddWithValue("@EmpTime", emptime_rdonly.Text);

When changing over to parameters I noticed a lack of a space between the single-quotes and the WHERE clause in Query #1
I also edited Query #2 as it did not need to be wrapped in string.Format()

Try this out and if you are still haveing problems, please try to troubleshoot and determine which command is failing; makes it easier to get a resolution
 
Share this answer
 
Posted
Comments
Pauline Agawin 22-Jan-19 11:00am    
hi! thank you for reply. im new to sql and our professor didnt teach us about stored procedure but i will try your suggestion! i will get back to you as soon as possible. thank you!
MadMyche 22-Jan-19 11:41am    
This is still TSQL, no stored procedures needed
Pauline Agawin 22-Jan-19 12:57pm    
where did you get the @EmpTime and @EmpStatus?
MadMyche 22-Jan-19 13:05pm    
Those are the names i chose to use when I edited "queryUpdate1".
Pauline Agawin 22-Jan-19 12:58pm    
i did your suggestions and i still get the same error. sorry but i am beginner, i researched about this kind of error and some people says it might be a connection error
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 22 Jan 2019
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900