i have a data in my database
'A Plus 18" Stand Fan'
'A Plus 18\" Stand Fan'
for (int y = 0; y < dt.Rows.Count; y++)
model = dt.Rows[y]["ItemModel"].ToString();
string companys = "";
companys = dt.Rows[y]["Company"].ToString();
Utility a = new Utility();
string com = a.PO();
SqlConnection con = new SqlConnection(com);
SqlCommand read = con.CreateCommand();
SqlDataReader reader = null;
string stat = "Delivered";
string mod = "SELECT SUM(Quantity) as Quantity from vConsumables_Balance where Model ='" + model + "' AND Company = '" + companys + "' AND Status = 'Delivered'";
read.CommandText = mod;
reader = read.ExecuteReader();
quan = reader.GetDecimal(0).ToString();
The code line
string mod = "SELECT SUM(Quantity) as Quantity from vConsumables_Balance where Model ='" + model + "' AND Company = '" + companys + "' AND Status = 'Delivered'"; shows that you are creating SQL queries by concatenating string manually. I assume you did the same when inserting the data into the database and used some tool of your own for escaping some characters.
That is a bad idea. You should change all your queries to parameterized queries. That will help you with other issues you are likely to encounter: formatting of numbers and dates, and it will also provide some protection against SQL injection attacks.
As for the
Status column, I'd suggest to use an integer value representing an enumeration value instead of a string.