A question regarding C# and SQL [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 12 years ago.

I want to perform the updation of the existing record.. the way that i have paste my code here i have successfully achieved my task but i dont want to do the updation by that way actually.. i want to do such that i get the id of the customer..

private void btnUpdate_Click(object sender, EventArgs e)
        {
            SqlConnection cn = new SqlConnection(@"Data Source=COMPAQ-PC-PC\SQLEXPRESS;Initial Catalog=Gym;Integrated Security=True");
            if (cn.State == ConnectionState.Closed)
            {
                cn.Open();
            }
            int result = new SqlCommand("Update Customer set Customer_Name = '" + tbName.Text + "',Cell_Number = '" + tbContactNumber.Text + "',Customer_Address = '" + tbAddress.Text + "' where CustomerID = " + tbID.Text, cn).ExecuteNonQuery();
            if (cn.State == ConnectionState.Open)
            {
                cn.Close();
            }
            cn.Dispose();

            BindGridView();
        }

private void BindGridView()
        {
            SqlConnection cn = new SqlConnection(@"Data Source=COMPAQ-PC-PC\SQLEXPRESS;Initial Catalog=Gym;Integrated Security=True");
            SqlCommand cmd = new SqlCommand("Select * from Customer", cn);
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataTable dt = new DataTable();
            da.Fill(dt);
            dgView_CustomerInfo.DataSource = dt.DefaultView;
        }

private void dgView_CustomerInfo_RowHeaderMouseClick(object sender, DataGridViewCellMouseEventArgs e)
        {

            tbID.Text = dgView_CustomerInf开发者_高级运维o.Rows[e.RowIndex].Cells["CustomerID"].Value.ToString();
            tbName.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Customer_Name"].Value.ToString();
            tbContactNumber.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Cell_Number"].Value.ToString();
            tbAddress.Text = dgView_CustomerInfo.Rows[e.RowIndex].Cells["Customer_Address"].Value.ToString();
        }

---

Coding Gorilla above has already given you a perfectly good answer, and I support it.

The question you'll find yourself asking about 20 minutes after this goes live is: "Hey, how did all these hackers get my data?"

The method you have above is RIPE for SQL Injection. Read about it here: http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Don't put code like this into production. Sanitize your inputs and use parametrized queries for your DB interactions.

---

I think what you're asking is: How can I store the state of my Customer Id without putting in a text box.

There are a lot of ways to do this, I would do it using the ViewState like this:

public int CustomerId
{
   get { return (int)(ViewState["CustomerId"] ?? -1); }
   set { ViewState["CustomerId"] = value; }
}

You can read more about the ViewState here: http://msdn.microsoft.com/en-us/library/system.web.ui.control.viewstate.aspx

** EDIT **

If you're using a Windows forms application the ViewState will not work, that's for ASP.NET. Instead you should look at using a BindingSource control and read up on Databind in Winforms.

---

Do not use string concatenation when constructing your SQL!

Use parameterized statements with placeholders, and set the values using a Parameter object.