c# - Injection safe SQL update query makes no change -

i'm making asp site that's backed access database. in site, want let player purchase items. have 2 forms of currency - gems , herbs.

when player purchases item, want 3 seperate actions -

• pass item store inventory, changing relevant boolean in itemplayerconnection table
• reduce "gems" integer currency according purchase
• reduce "herbs" integer currency, according they're buying.

thus, i'm trying construct 3 different queries - first 1 should so:

update itemplayerconnection set inventory=true  player=playernamehere  , item=itemidhere 

in order move item store inventory. second , third ones similar, difference gems , herbs - should so:

update player set currencynamehere=(currencynamehere-itempricehere)  owner=playernamehere 

so i've tried following code:

static public void purchase(string player, int itemid, int herbprice, int gemprice)     {         oledbcommand command1 = generateconnection(             "update itemplayerconnection set inventory=true player=@player , item=@itemid");         command1.parameters.addwithvalue("@player", player);         command1.parameters.addwithvalue("@itemid", itemid);          oledbcommand command2 = generateconnection(             "update player set herbs=(herbs-@herbprice) owner=@player");         command2.parameters.addwithvalue("@herbprice", herbprice);         command2.parameters.addwithvalue("@player", player);          oledbcommand command3 = generateconnection(             "update player set gems=(gems-@gemprice) owner=@player");         command3.parameters.addwithvalue("@gemprice", gemprice);         command3.parameters.addwithvalue("@player", player);          command3.executenonquery();         command2.executenonquery();         command1.executenonquery();     } 

and breakpoints, saw queries - fine , yet, although herbs , gems changed, item not passed shop inventory. these raise no syntax error -

what error?

your code seems fine , have business error, want else:

• addwithvalue requires parameter name , value, not type;
• you should name correctly parameters, make easier maintain code
• you should consider encapsulate commands in 1 database transaction, make work atomic unit; isn't in code below

you modified code be:

static public void purchase(string player, int itemid, int herbprice, int gemprice) {     oledbcommand command1 = generateconnection(         "update itemplayerconnection set inventory=true player=@player , item=@itemid");     command1.parameters.addwithvalue("@player", player);     command1.parameters.addwithvalue("@itemid", itemid);      oledbcommand command2 = generateconnection(         "update player set herbs=(herbs-@herbprice) owner=@player");     command2.parameters.addwithvalue("@herbprice", herbprice);     command2.parameters.addwithvalue("@player", player);      oledbcommand command3 = generateconnection(         "update player set gems=(gems-@gemprice) owner=@player");     command3.parameters.addwithvalue("@gemprice", gemprice);     command3.parameters.addwithvalue("@player", player);      command3.executenonquery();     command2.executenonquery();     command1.executenonquery(); }