0

I have two comboboxes, a messagebox and a Send button. When the app startups and I click on the Send button with the comboboxes and messagebox empty, a pop-up box comes up and says "Select a client" After doing this, I go back to the database and see that it has added a new record to that table, even though I didn't put in any data after clicking on the "Send" button. Same applies for when one of the three controls I have has data in it, but the other two don't, and the program asks me to enter that data before it succeeds. But it still adds the record despite having those If Statements. What am I doing wrong?

My code:

Using con As New SqlConnection(ConfigurationManager.ConnectionStrings("conStr").ConnectionString) con.Open() Using cmd As New SqlCommand cmd.Connection = con cmd.CommandText = "insert into tblMyTable(Client, UserName, Message) values('" & cboClient.Text & "', '" & cboUser.Text & "', '" & rtfMessage.Text & "')" cmd.ExecuteNonQuery() End Using If cboClient.Text = "" Then MsgBox("Select a client") ElseIf cboUser.Text = "" Then MsgBox("Select a user") ElseIf rtfMessage.Text = "" Then MsgBox("Enter a message") Else MsgBox("Message Sent") End If con.Close() End Using
Improve this question
5
  • 2
    You are executing the query, then asking for the user to validate the data? Use parameters to avoid sql injection, btw. Commented Jun 29, 2015 at 16:24
  • You do an insert before any of your conditional checks, which have no effect on the sql command anyways. Commented Jun 29, 2015 at 16:24
  • Of course it gets the new row. The only line that inserts the data is before the IF statements. BTW, your code is a textbook example of sql injection. You need to parameterize that query. Commented Jun 29, 2015 at 16:24
  • How would I do that? Commented Jun 29, 2015 at 16:25
  • Use a parameterized insert, you have an SQL Injection vulnerability. Commented Jun 29, 2015 at 16:30

2 Answers 2

Reset to default
1

I think you want something like this (note this does not address parameterization concerns):

Using con As New SqlConnection(ConfigurationManager.ConnectionStrings("conStr").ConnectionString) If cboClient.Text = "" Then MsgBox("Select a client") ElseIf cboUser.Text = "" Then MsgBox("Select a user") ElseIf rtfMessage.Text = "" Then MsgBox("Enter a message") Else con.Open() Using cmd As New SqlCommand cmd.Connection = con cmd.CommandText = "insert into tblMyTable(Client, UserName, Message) values('" & cboClient.Text & "', '" & cboUser.Text & "', '" & rtfMessage.Text & "')" cmd.ExecuteNonQuery() End Using MsgBox("Message Sent") End If con.Close() End Using
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I guess this should work for now. I'll try to paramaterized it. Thanks!
0

Similar solution to @OldProgrammer, with an attempt at parameterized insert.

 Private Sub SendButton_Click(sender As System.Object, e As System.EventArgs) Handles SendButton.Click Try If writeMessage() Then MessageBox.Show("Message sent.", "Success") End If Catch ex As Exception MessageBox.Show(String.Concat("An error occurred sending this message:", ex.Message)) End Try End Sub Private Function writeMessage() As Boolean If isValidMessage() Then writeMessageInfo() Return True End If Return False End Function Private Sub writeMessageInfo() Using con As New SqlConnection(yourConnectionString) con.Open() Using cmd As New SqlCommand cmd.Connection = con cmd.Parameters.Add(New SqlParameter("clientValue", cboClient.Text)) cmd.Parameters.Add(New SqlParameter("userValue", cboUser.Text)) cmd.Parameters.Add(New SqlParameter("messageText", rtfMessage.Text)) cmd.CommandText = "insert into tblMyTable(Client, UserName, Message) values(@clientValuem, @userValue, @messageText)" cmd.ExecuteNonQuery() End Using con.Close() End Using End Sub Private Function isValidMessage() As Boolean If cboClient.SelectedIndex = -1 Then MessageBox.Show("Please select a client.", "Missing info") cboClient.Focus() Return False End If If cboUser.SelectedIndex = -1 Then MessageBox.Show("Please select a user.", "Missing info") cboUser.Focus() Return False End If If rtfMessage.Text = String.Empty Then MessageBox.Show("Please enter a message.", "Missing info") rtfMessage.Focus() Return False End If Return True End Function
Improve this answer

2 Comments

I have this button here: Private Sub btnSend_Click(sender As Object, e As EventArgs) Handles btnSend.Click MessageSent() End Sub But what you have here isn't working for me.
I'm also not getting those pop-up messages too. I click on the button multiple times and it adds the data to the table regardless.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.