SQL Server table column value not update when hit by api provider - sql

I am using an API for recharge portal and provide them a page for recharge status update and the hit my page url with some query string parameter. Then I read the query string and update table. URL hit is showing in my IIS log but table is not updated but when I'm hitting manually same it has been update. I'm unable to find out reason behind.
Here is the url they hit
mypage.aspx?status=success&trans_no=12373&client_key=12368754&rech_no=9235155800&amount=10&opr_code=1&success_id=UEH1708181415290215&msg=recharge%20request%20was%20succeeded.
and here is the code of my page load event
string status = Request.QueryString["status"];
string apiRef = Request.QueryString["trans_no"];
string refId = Request.QueryString["client_key"];
string oRefId = Request.QueryString["success_id"];
if (status == "success")
status = "Success";
SqlConnection conn = new
SqlConnection(WebConfigurationManager.AppSettings["ConnString1"]);
SqlCommand cmd = new SqlCommand("UPDATE mytable SET status=#status
,oreference_id= #oRefId ,udate=GETDATE() WHERE ureference_id= #refId AND
areference_id= #apiRef", conn);
cmd.Parameters.AddWithValue("#status", status);
cmd.Parameters.AddWithValue("#oRefId", oRefId);
cmd.Parameters.AddWithValue("#refId", refId);
cmd.Parameters.AddWithValue("#apiRef", apiRef);
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();
Any help will be appreciated. Thanks in advance.

You can try this code i hope it will work for you
string status = Request.QueryString["status"];
string apiRef = Request.QueryString["trans_no"];
string refId = Request.QueryString["client_key"];
string oRefId = Request.QueryString["success_id"];
if (status == "success")
status = "Success";
SqlConnection conn = new SqlConnection(WebConfigurationManager.AppSettings["ConnString1"]);
conn.Open();
SqlCommand cmd = new SqlCommand("UPDATE mytable SET status=#status ,oreference_id= #oRefId ,udate=GETDATE() WHERE ureference_id= #refId AND areference_id= #apiRef", conn);
cmd.Parameters.AddWithValue("#status", status);
cmd.Parameters.AddWithValue("#oRefId", oRefId);
cmd.Parameters.AddWithValue("#refId", refId);
cmd.Parameters.AddWithValue("#apiRef", apiRef);
cmd.ExecuteNonQuery();
conn.Close();

Related

Login Comparing hash value in a database

I am attempting to make a simple sign on portion of an app I am creating. To confirm sign in, I am just attempting to make sure that the hash value of the password entered, matches that which is stored in my local database: App_Users ) '
ButtonClick:
string AppUsername = textBox2.Text.ToString();
string AppPassword = textBox1.Text.ToString();
//- Hashed-V-
byte[] salt;
new RNGCryptoServiceProvider().GetBytes(salt = new byte[16]);
var pbkdf2 = new Rfc2898DeriveBytes(AppPassword, salt, 10000);
byte[] hash = pbkdf2.GetBytes(20);
byte[] hashBytes = new byte[36];
Array.Copy(salt, 0, hashBytes, 0, 16);
Array.Copy(hash, 0, hashBytes, 16, 20);
string savedPasswordHash = Convert.ToBase64String(hashBytes); // <-- see ' https://stackoverflow.com/questions/4181198/how-to-hash-a-password ' for the part on comparing the recalculated
//-
SqlConnection con = new SqlConnection();
con.ConnectionString = ("Data Source=DESKTOP-PGHMM6M;Initial Catalog=LocalUsers;Integrated Security=True");
con.Open();
var cmd = new SqlCommand(#"SELECT Username, Hash FROM App_Users WHERE (Hash = #Hash");
cmd.Connection = con;
savedPasswordHash = cmd.ExecuteScalar() as string;
if (cmd.ExecuteNonQuery() > 0) {
MessageBox.Show(" Query successful..something matched.. ");
//change page.. load a profile?
}
However, I am getting the error:
'Must declare the scalar variable "#Hash".'
I've searched around but I'm not sure what the next step for exactly what I am trying to do is.. Sorry this is probably a bad question, sql-wise. I think it has something to do with an adapter?
You didn't pass a value for the #Hash parameter in the query. And you should also check for the user name in the query or else the login attempt is successful if any login uses the given password.
Try something like:
...
var cmd = new SqlCommand(#"SELECT Username, Hash FROM App_Users WHERE Hash = #Hash AND Username = #Username");
cmd.Connection = con;
cmd.Parameters.Add("#Hash", SqlDbType.VarChar, 48).Value = savedPasswordHash;
cmd.Parameters.Add("#Username", SqlDbType.NVarChar, 32).Value = AppUsername;
if (cmd.ExecuteNonQuery() > 0) {
...
This assumes, that App_Users.Hash is a VARCHAR(48) and App_Users an NVARCHAR(32). You may need to change it to match the data types you're actually using.

Like and = operater is not working together in signal query

I am using sap.net web form. In this web form i have a text and a button. user enter name or id and hit search button. Searching with id is working fine but with name it is not working.
What i am missing here help me out please.
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + #search + '%' OR DriverID = #search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("#search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
The code is generating an exception. The fact that you're unaware of this indicates that you have "error handling" somewhere in your system that is, in fact "error hiding". Remove empty catch blocks, or pointless catch blocks such as the one in your question that just destroys some information in the exception and re-throws it. Those aren't helping you.
The actual problem is that the DriverID column is int and your parameter is varchar. So long as the varchar contains a string that can be converted to a number (which is the direction that the conversion happens in due to precedence), the query is well-formed.
As soon as the parameter contains a string that cannot be implicitly converted to a number, SQL Server generates an error that .NET turns into an exception.
For your LIKE variant, you're forcing a conversion in the opposite direction (numeric -> varchar) since LIKE only operates on strings. That conversion will always succeed, but it means that you're performing textual comparisons rather than numeric, and also means there's no possible index usage here.
I'd suggest that you change your C# code to attempt a int.TryParse on the input text and then uses two separate parameters to pass strings and (optionally) their numeric equivalent to SQL Server. Then use the appropriate parameters in your query for each comparison.
Something like:
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
String query = "SELECT * from Driver where(Name LIKE '%' + #search + '%' OR " +
"DriverID = #driverId) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("#search", SqlDbType.VarChar,50).Value = SearchTextBox.Text;
cmd.Parameters.Add("#driverId", SqlDbType.Int);
int driverId;
if(int.TryParse(SearchTextBox.Text, out driverId))
{
cmd.Parameters["#driverId"].Value = driverId;
}
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
"SELECT * from Driver where (Name LIKE '%" + #search + "%'
OR DriverID = '" + #search + "' ) AND Status = 'Active'";
how about this?

SqlDataAdapter.update() not updating database

I am searching for (PostId,UserId) into PostLikes table using SqlDataAdapter, if the row is found , I am using SqlCommandBuilder.GetDeleteCommand() to generate the delete instruction and deleting the underlying row, if the row is not found, then I use SqlCommandBuilder.GetInsertCommand() to generate the insert command and inserting the row to the table using SqlDataAdapter.Update(). But the row is not getting inserted to the table in database. Here is what I have done so far
SqlConnection con = new SqlConnection(connectionStrings);
SqlDataAdapter sqlDataAdapter=new SqlDataAdapter("select * from PostLikes where PostId like "
+postlike.PostId+" and UserId like "
+postlike.UserId,con);
DataSet ds = new DataSet();
sqlDataAdapter.Fill(ds, "Result");
con.Open();
SqlCommandBuilder sqlCommandBuilder = new SqlCommandBuilder(sqlDataAdapter);
if(ds.Tables["Result"].Rows.Count==1)
{
sqlDataAdapter.DeleteCommand = sqlCommandBuilder.GetDeleteCommand(true);
msg = "Data is deleted";
}
else
{
sqlDataAdapter.InsertCommand = sqlCommandBuilder.GetInsertCommand(true);
msg = "Data is inserted";
}
sqlDataAdapter.Update(ds, "Result");
and the tablePostLikes(LikeId,PostId,UserId)
There are a couple of issues:
You are looking to reuse the same command to both detect whether the row exists, and to supply to the SqlAdapter for the SqlCommandBuilder.
You should parameterise the initial select query to protect against SqlInjection attacks (and there is a minor performance benefit). The CommandBuilder will automatically parameterize the Insert / Delete commands
After creating the Insert / Delete commands with the SqlCommandBuilder, you then need to change the underlying dataset in order for any changes to be made to the table during the Update.
Note that many of the Sql objects are IDisposable and should be disposed ASAP - using scopes help here.
.
var postId = 1;
var userId = 1;
string msg;
using (var con = new SqlConnection(#"data source=..."))
using (var selectCommand = new SqlCommand(
"select LikeId, PostId, UserId from PostLikes WHERE PostId=#PostId AND UserId=#UserId", con))
using (var sqlDataAdapter = new SqlDataAdapter(selectCommand))
using (var ds = new DataSet())
{
con.Open();
selectCommand.Parameters.AddWithValue("#PostId", postId);
selectCommand.Parameters.AddWithValue("#UserId", userId);
sqlDataAdapter.Fill(ds, "Result");
using (var sqlCommandBuilder = new SqlCommandBuilder(sqlDataAdapter))
{
if (ds.Tables["Result"].Rows.Count == 1)
{
sqlDataAdapter.DeleteCommand = sqlCommandBuilder.GetDeleteCommand(true);
ds.Tables["Result"].Rows[0].Delete();
msg = "Data will be deleted";
}
else
{
sqlDataAdapter.InsertCommand = sqlCommandBuilder.GetInsertCommand(true);
// Null because LikeId is Identity and will be auto inserted
ds.Tables["Result"].Rows.Add(null, postId, userId);
msg = "Data will be inserted";
}
sqlDataAdapter.Update(ds, "Result");
}
}
I've assumed the following Schema:
CREATE TABLE PostLikes
(
LikeId INT IDENTITY(1,1) PRIMARY KEY,
PostId INT,
UserId INT
)
And I've assumed you want to 'toggle' the insertion or deletion of a row with the postId, userid combination.

ExecuteReader returns no results, when inspected query does

Consider the following code:
StringBuilder textResults = new StringBuilder();
using(SqlConnection connection = new SqlConnection(GetEntityConnectionString()))
{
connection.Open();
m.Connection = connection;
SqlDataReader results = m.ExecuteReader();
while (results.Read())
{
textResults.Append(String.Format("{0}", results[0]));
}
}
I used Activity Monitor within Sql Server Mgmt Studio on the database to inspect the exact query that was being sent. I then copied that query text to a query editor window within SSMS, and the query returned the expected results. However, SqlDataReader results is always empty, indicating "The enumeration returned no results."
My suspicion is that somehow the results are not being returned correctly, which makes me think there's something wrong with the code above, and not the query itself being passed.
Is there anything that would cause this in the code above? Or something I've overlooked?
EDIT:
Here is the query as indicated by the SQLCommand object:
SELECT DISTINCT StandardId,Number
FROM vStandardsAndRequirements
WHERE StandardId IN ('#param1','#param2','#param3')
ORDER BY StandardId
Here is the query as it appears in Activity Monitor:
SELECT DISTINCT StandardId,Number
FROM vStandardsAndRequirements
WHERE StandardId IN ('ABC-001-0','ABC-001-0.1','ABC-001-0')
ORDER BY StandardId
The query is working against a single view.
When I ran the second query against the database, it returned 3 rows.
The SqlDataReader indicates 0 rows.
try to use Sqldata adapter instead of sqldatreader.
StringBuilder textResults = new StringBuilder();
using (var conn = new SqlConnection(GetEntityConnectionString())))
{
using (
var cmd = new SqlCommand(
"SELECT DISTINCT StandardId,Number" +
"FROM vStandardsAndRequirements " +
"WHERE StandardId IN (#param1,#param2,#param3)" +
"ORDER BY StandardIdl"
, conn))
{
var dSet = new DataSet();
var dt = new Datatable();
var da = new SqlDataAdapter(cmd);
cmd.Parameters.Add("#param1", SqlDbType.VarChar, 50).Value = "ABC-001-0";
cmd.Parameters.Add("#param2", SqlDbType.VarChar, 50).Value = "ABC-001-0.1";
cmd.Parameters.Add("#param3", SqlDbType.VarChar, 50).Value = "ABC-001-0";
try
{
da.Fill(dSet);
dt = dSet.Tables[0];
foreach(Datarow a in dt.Rows)
{
textResults.Append(a["StandardId"].tostring()).AppendLine();
}
Messabox.Show(textResults.tostring);
}
catch (SqlException)
{
throw;
}
finally
{
if (conn.State == ConnectionState.Open) conn.Close();
}
}
}
Regards.
Are you sure it is
WHERE StandardId IN ('#param1','#param2','#param3')
instead of this?
WHERE StandardId IN (#param1,#param2,#param3)
Parameters should not be quoted, not in the SQLCommand object.
Very nice behavior I've observed
I looked for errors in code:
... dr = command.ExecuteReader() ... If dr.Read Then ...
and found that 'dr.Read' works fine, but...
when I mouseover on 'dr', to lookup for data, return values disappeared !
Check your connection string and make sure you are not connecting as a user instance.
http://msdn.microsoft.com/en-us/library/ms254504.aspx

Problem with batch update using DataAdapter

I am updating the sql server 2005 database using batch update, as shown below
cmd = new SqlCommand("update Table1 set column1 = #column1 where EmpNo = #EmpNo", con);
cmd.Parameters.Add(new SqlParameter("#column1", SqlDbType.VarChar));
cmd.Parameters["#column1"].SourceVersion = DataRowVersion.Current;
cmd.Parameters["#column1"].SourceColumn = "Column";
cmd.Parameters.Add(new SqlParameter("#EmpNo", SqlDbType.Int));
cmd.Parameters["#EmpNo"].SourceVersion = DataRowVersion.Current;
cmd.Parameters["#EmpNo"].SourceColumn = "EmpNo";
cmd.UpdatedRowSource = UpdateRowSource.None;
sqlDa = new SqlDataAdapter();
con.Open();
sqlDa.UpdateCommand =cmd;
sqlDa.UpdateBatchSize = 10;
sqlDa.Update(dt);
con.Close();
But the data is not updated.I am unable to figure out what is the problem.Any help is appreciated.
I would suggest that you look at the dt right before you issue the update command. Make sure there are some rows that have RowState of Updated or Added. If not, there's nothing in your (I'm assuming) DataTable to update to the database.
Also, try removing the .SourceVersion property set operation.
If everything looks good, start a trace on the database right before you issue the .Update.
These are just a couple first steps to try.
SqlDataAdapter approach
using (SqlCommand insertCommand=new SqlCommand(
"INSERT BulkLoadTable(FieldA, FieldB) VALUES (#FieldA, #FieldB)", connection))
{
insertCommand.Parameters.Add("#FieldA", SqlDbType.VarChar, 10, "FieldA");
insertCommand.Parameters.Add("#FieldB", SqlDbType.Int, 4, "FieldB");
// Setting UpdatedRowSource is important if you want to batch up the inserts
insertCommand.UpdatedRowSource = UpdateRowSource.None;
using (SqlDataAdapter insertAdapter = new SqlDataAdapter())
{
insertAdapter.InsertCommand = insertCommand;
// How many records to send to the database in one go (all of them)
insertAdapter.UpdateBatchSize = myDataTable.Rows.Count;
// Send the inserts to the database
insertAdapter.Update(myDataTable);
}
}