miscalculation in update sql query

StackOverflow https://stackoverflow.com/questions/22961492

Pergunta 

string queryString4 = "UPDATE Table1 SET currentMoney =currentMoney + '" + money + "'WHERE accountNo='" + recipientNo + "';";

user1 & user2 have $100

user1 transfer $5 to user2.

user1 now have $95 & user2 now have $1005

Somehow it did not calculate properly. Im suspecting the code above because I did a querystring3 which is minus instead of a plus and it works. However querystring4 is a bit of a problem.

Foi útil?

Solução

You're appending a string here:

currentMoney =currentMoney + '" + money + "'

Let's assume that money is 5, this becomes:

currentMoney =currentMoney + '5'

In many languages this will result in an implicit conversion of the numeric value to a string value, so:

100 + '5' = '1005'

Then when you store it, I guess it was implicitly converted back to a numeric value? It's odd to me that you didn't receive an error message during any of this.

In any event, you're looking at two fixes:

  1. For now, get rid of those single-quotes and treat the numeric value as a numeric value instead of a string value.
  2. Don't build your queries by concatenating strings. The problem you're facing now is one of the lesser problems you'll encounter by doing this. Exposing yourself to SQL injection attacks is another, more significant problem. Use query parameters instead of string concatenation.

Outras dicas

This is a textbook case. You need a transaction to encapsulate the two commands. You also need to use a parameterized query and not a string concatenation. 

 decimal sumOfTransaction = 5m;
 string creditAccount = "123456ABC";
 string debitAccount = "ABC9876543";



 using(TransactionScope scope = new TransactionScope())
 using(SqlConnection cn = new SqlConnection(connectionString))
 {
    string upd1 = @"UPDATE Table1 SET currentMoney = currentMoney + @amount
                    WHERE accountNo=@account";

    string upd2 = @"UPDATE Table1 SET currentMoney = currentMoney - @amount
                    WHERE accountNo=@account";

    cn.Open();
    using(SqlCommand cmd = new SqlCommand(upd1, cn);
    {
        cmd.Parameters.AddWithValue("@amount", sumOfTransaction);
        cmd.Parameters.AddWithValue("@account", creditAccount);
        cmd.ExecuteNonQuery();

        cmd.CommandText = upd2;
        cmd.Parameters["@account"].Value = debitAccount);
        cmd.ExecuteNonQuery();
    }

    scope.Complete();
 }

The use of a transaction is mandatory here, because you don't want, for ANY reason to credit some amout of money to one account and for whatever reason miss to debit the other account. (In real cases you need a lot more than this. For example, this code lacks of any checks against the amount available in the debit account).

Of course your initial error is due to the fact that you are treating your amount as it was a string but this is plainly wrong. When dealing with money values you should not rely on implicit conversions of any kind.

compose sql string in this way is a very bad practice. You should use Sql Parameters instead.

Anyway, try this way:

string queryString4 = "UPDATE Table1 SET currentMoney =currentMoney + (" + money + ") WHERE accountNo='" + recipientNo + "';";

But i strongly advise you to use parameters.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top