Click here to Skip to main content
16,017,278 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
private void btnSave_Click(object sender, RoutedEventArgs e)
       {
           try
           {
               if (isValid())
               {
                   SqlConnection conn = new SqlConnection(ConnectionString);
                   conn.Open();
                   SqlCommand cmd = new SqlCommand("add_user_details", conn);
                   cmd.CommandType = CommandType.StoredProcedure;
                   cmd.Parameters.AddWithValue("@id", SqlDbType.Int).Value = string.IsNullOrWhiteSpace(txtUserId.Text) ? DBNull.Value : (object)txtUserId.Text;
                   cmd.Parameters.AddWithValue("@emp_id", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelEmp.Text) ? DBNull.Value : (object)cmboSelEmp.Text;
                   cmd.Parameters.AddWithValue("@emp_name", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelEmp.Text) ? DBNull.Value : (object)cmboSelEmp.Text;
                   cmd.Parameters.AddWithValue("@usertype", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelUser.Text) ? DBNull.Value : (object)cmboSelUser.Text;
                   cmd.Parameters.AddWithValue("@privilege", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelUser.Text) ? DBNull.Value : (object)cmboSelUser.Text;
                   cmd.Parameters.AddWithValue("@username", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(txtUsername.Text) ? DBNull.Value : (object)txtUsername.Text;
                   cmd.Parameters.AddWithValue("@password", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(txtPassword.Password) ? DBNull.Value : (object)txtPassword.Password;
                   cmd.Parameters.AddWithValue("@branch", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboBranch.Text) ? DBNull.Value : (object)cmboBranch.Text;
                   //SqlCommand cmd = new SqlCommand("add_user_details'" + txtUserId.Text + "','" + cmboSelEmp.SelectedValuePath + "'," +
                   //    "'" + cmboSelEmp.Text+ "','" + cmboSelUser.SelectedValuePath+ "'," +
                   //    "'" + cmboSelUser.SelectedValuePath + "','" + txtUsername.Text + "','" + txtPassword.Password.ToString() + "'," +
                   //    "'" + cmboBranch.Text + "'", con);
                   cmd.ExecuteNonQuery();
                   conn.Close();
                   MessageBox.Show("Successfully saved", "Fill Field", MessageBoxButton.OK, MessageBoxImage.Information);
                   refresh();
               }
           }
           catch (SqlException ex)
           {
               MessageBox.Show(ex.Message);
           }
       }


What I have tried:

<pre> private void btnSave_Click(object sender, RoutedEventArgs e)
        {
            try
            {
                if (isValid())
                {
                    SqlConnection conn = new SqlConnection(ConnectionString);
                    conn.Open();
                    SqlCommand cmd = new SqlCommand("add_user_details", conn);
                    cmd.CommandType = CommandType.StoredProcedure;
                    cmd.Parameters.AddWithValue("@id", SqlDbType.Int).Value = string.IsNullOrWhiteSpace(txtUserId.Text) ? DBNull.Value : (object)txtUserId.Text;
                    cmd.Parameters.AddWithValue("@emp_id", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelEmp.Text) ? DBNull.Value : (object)cmboSelEmp.Text;
                    cmd.Parameters.AddWithValue("@emp_name", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelEmp.Text) ? DBNull.Value : (object)cmboSelEmp.Text;
                    cmd.Parameters.AddWithValue("@usertype", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelUser.Text) ? DBNull.Value : (object)cmboSelUser.Text;
                    cmd.Parameters.AddWithValue("@privilege", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboSelUser.Text) ? DBNull.Value : (object)cmboSelUser.Text;
                    cmd.Parameters.AddWithValue("@username", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(txtUsername.Text) ? DBNull.Value : (object)txtUsername.Text;
                    cmd.Parameters.AddWithValue("@password", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(txtPassword.Password) ? DBNull.Value : (object)txtPassword.Password;
                    cmd.Parameters.AddWithValue("@branch", SqlDbType.VarChar).Value = string.IsNullOrWhiteSpace(cmboBranch.Text) ? DBNull.Value : (object)cmboBranch.Text;
                    //SqlCommand cmd = new SqlCommand("add_user_details'" + txtUserId.Text + "','" + cmboSelEmp.SelectedValuePath + "'," +
                    //    "'" + cmboSelEmp.Text+ "','" + cmboSelUser.SelectedValuePath+ "'," +
                    //    "'" + cmboSelUser.SelectedValuePath + "','" + txtUsername.Text + "','" + txtPassword.Password.ToString() + "'," +
                    //    "'" + cmboBranch.Text + "'", con);
                    cmd.ExecuteNonQuery();
                    conn.Close();
                    MessageBox.Show("Successfully saved", "Fill Field", MessageBoxButton.OK, MessageBoxImage.Information);
                    refresh();
                }
            }
            catch (SqlException ex)
            {
                MessageBox.Show(ex.Message);
            }
        }
Posted
Updated 6-Sep-22 23:11pm
Comments
Richard Deeming 7-Sep-22 8:04am    
You are storing your users' passwords in plain text. Don't do that! Instead, store a salted and stretched hash of the password, using a cryptographically secure one-way hash algorithm.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

1 solution

That's not a WPF problem: it's what you are sending to SQL.
C#
cmd.Parameters.AddWithValue("@id", SqlDbType.Int).Value = string.IsNullOrWhiteSpace(txtUserId.Text) ? DBNull.Value : (object)txtUserId.Text;

You don't show any code which validates any of your text boxes, so if txtUserId contains any non-numeric characters then the conversion will fail and your SQL will not work.

It's generally a good idea to validate and convert user input at the start of the method, then only continue if valid data has been entered.
C#
if (!int.TryParse(txtUserId.Text, out int id))
    {
    ... report a problem ...
    return;
    }
You can then use the id value directly in your SQL without any null checking:
C#
cmd.Parameters.AddWithValue("@id", SqlDbType.Int).Value = id;
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900