Click here to Skip to main content
15,917,875 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello,

I have a problem updating a Decimal number in a sqlce database.
The database
Using the 2017 version of Visual studio and framework 3.5

Numeric 18.3 and nulls allowd


VB
<pre>cmd = New SqlCeCommand("Update Gegevens Set Kg ='" & Kg.Text & "' Where Id='" & Gegevensid.Text & "'", con)
        If con.State = ConnectionState.Closed Then con.Open()
        cmd.ExecuteNonQuery()
        If con.State = ConnectionState.Open Then con.Close()


The error is

VB
System.Data.SqlServerCe.SqlCeException
  HResult=0x80131501
  Message=Data conversion failed. [ OLE DB status value (if known) = 0 ]
  Source=SQL Server Compact ADO.NET Data Provider


I can save the number in the database , but not update .

The code i used many times in an other project but now an error ?

What am i missing

Think it means there is a 0 in the textbox ?

What I have tried:

Use the code before but now error.

When i change it to a other column with Nvarchar there is no problem , it is updating.
Posted
Updated 30-Dec-18 9:41am
Comments
Bryian Tan 30-Dec-18 0:16am    
Try convert to decimal before updating.

VB
cmd = New SqlCeCommand("Update Gegevens Set Kg ='" & Kg.Text & "' Where Id='" & Gegevensid.Text & "'", con)

Not necessary a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Comments
BASSIES 29-Dec-18 16:38pm    
Thanks for the warning,

And it crased , do you have an example ho i update this .

Reading something about it but can't really figure it out what to change.


cmd = New SqlCeCommand("Update Gegevens Set Kg ='" & Kg.Text & "' Where Id='" & Gegevensid.Text & "'", con)
Patrice T 29-Dec-18 17:22pm    
To understand what is the problem, you need to see what is the exact command you send.
tmp="Update Gegevens Set Kg ='" & Kg.Text & "' Where Id='" & Gegevensid.Text & "'"
cmd = New SqlCeCommand(tmp, con)
and inspect tmp when error.
BASSIES 29-Dec-18 17:32pm    
This is working or am i reading it wrong about sql injection.

A different example with a column in Nvarchar , where it crased before and now it is saving

cmd = New SqlCeCommand("UPDATE Gevaren Set Vertrekvaren = @Vertrekvaren Where Id='" & Gevarenid.Text & "'", con)
If con.State = ConnectionState.Closed Then con.Open()
cmd.Parameters.Add("@Vertrekvaren", SqlDbType.NVarChar).Value = Vertrekvaren.Text
cmd.ExecuteNonQuery()
BASSIES 29-Dec-18 16:42pm    
OriginalGriff ,

You are wright also , but i was focused on the update and didnot understand SQL Injection.

And Yes i have a problem
BASSIES 30-Dec-18 15:44pm    
Thanks OriginalGriff and Patrice T ,

Learned al lot with this question, i must read more about SQL Injection.

Now it was a litte thing to change the update so early in my programm.
Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Start by using decimal.TryParse to convert the user input to decimal values - reporting errors to the user - and then pass the converted values directly as parameters. That way, the you know what you are sending to the DB is valid and correct.
 
Share this answer
 
Comments
BASSIES 29-Dec-18 8:56am    
Hello,

The input of the textbox is for example 14,025

This is Decimal with 3 behind the comma

What am i missing
OriginalGriff 29-Dec-18 9:14am    
That the DB will probably assume that is 14025?

Use decimal.TryParse to convert it, if necessary telling it what format the user has used (the default for western computers is 14.025 not 14,025 so you may need to specify a culture to convert it correctly).

https://docs.microsoft.com/en-us/dotnet/api/system.decimal.tryparse?view=netframework-4.7.2
BASSIES 29-Dec-18 9:56am    
Hello ,

Found something after your answer , I write it to the database as Decimal with a comma

Get the value from the database and it is with a comma . Fine that is how i want to see it in the textbox.

When i Update i have to use a dot ?

Dont know why but i works.

Never have to do that with a dot , maybe i am using the 2017 version now ?

Thanks.
Patrice T 30-Dec-18 18:25pm    
Hi OG,
Read the comments I got from OP, they are for you too.
OriginalGriff 31-Dec-18 2:56am    
Thanks! Nice to get a little appreciation, once in a while. :)
cmd = New SqlCeCommand("UPDATE Cijfers Set Kg= @Kg Where Id='" & Cijfersid.Text & "'", con)
If con.State = ConnectionState.Closed Then con.Open()
cmd.Parameters.Add("@Kg", SqlDbType.Decimal).Value = Kg.Text
cmd.ExecuteNonQuery()
 
Share this answer
 
Comments
Patrice T 30-Dec-18 18:27pm    
Using a second parameter for Cijfersid.Text will really secure your SQL command.
BASSIES 31-Dec-18 4:55am    
Patrice T,

Like this ?

cmd = New SqlCeCommand("UPDATE Cijfers Set Kg= @Kg Where Id = @Id", con)
If con.State = ConnectionState.Closed Then con.Open()
cmd.Parameters.Add("@Id", SqlDbType.NVarChar).Value = Cijfersid.Text
cmd.Parameters.Add("@Kg", SqlDbType.Decimal).Value = Kg.Text
cmd.ExecuteNonQuery()

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900