The multi-part identifier “TextBox1.Text” could not be bound in C# ASP.NET?

Question

I\'m doing a practice project for training; my handler has specifically forbidden paramaterization and security-oriented coding for now, in the interest of getting the basic

Answer 1

You have to pass the value of the Text property of the TextBox controls to the query not the "TextBox.Text" as a string:

string updateQuery = "UPDATE ProductInstance SET CustId = " + TextBox1.Text + ", CustName = '" + TextBox2.Text + "', .... " + x;

NOTE:

If the value of the "Text" property was a string the you have to place a ' on the two sides of the value like in the example above.

Answer 2

Your query will be executed as is, Textbox*.Text won't be replaced. You will have to use SQL Parameters or use a string Builder or string.Format to generate your query string.

const string queryFormat = "UPDATE ProductInstance SET CustId = {0}, CustName = '{1}', ... WHERE ProductId = {n}";
var query = string.Format(queryFormat, Textbox1.Text, 
                                       Textbox2.Text, 
                                       ..., 
                                       TextboxN.Text, x);

Make sure you generate a valid SQL Update query. Something like CustCity = TextBox4.Text will fail if Textbox4.Text is a string. You will have to add quotes where needed CustCity = '" + TextBox4.Text + "'"

Even if you can not use parameters or ORMs I would recommend you to name your textboxes other than TextboxN.

Furthermore I don't get how this code would work if you are using a grid view? You are only populating one row?

Answer 3

Use parameters to do this. Otherwise you are wide-open for SQL injection.

SQLCommand cmd = new SQLCommand();
cmd.CommandText = "UPDATE ProductInstance SET CustId = @CustID WHERE .... ";
cmd.Parameters.AddWithValue("@CustID", TextBox1.Text);
cmd.ExecuteNonQuery();