This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
incorrect syntax near ','.
I am working on a small program, but this problem stopped me. When I do the update data, this message appears to me, although the update works in more than one other form within the program.
Please help me.
string d = Date.Value.ToString("yyyy/MM/dd");
string Dinstall = txtdateInstal.Value.ToString("yyyy/MM/dd");
db.ExcuteData("update TBL_Employees Set FName ='"+txtFName.Text+"' ,LName ='" + txtLName.Text + "' ,DateB='" + d + "', PlaceB='" + txtBDaye.Text + "', ID_C= " + cmbCenter.SelectedValue + ", ID_S= " + cmbService.SelectedValue + ",ID_Sec=" + cmbSecture.SelectedValue + ", ID_Grade = " + cmbGrade.SelectedValue + ", DateInstall= '" + Dinstall + "', Credit=" + txtRacid.Text + ", Adress= '" + txtAddress.Text + "', Phone=" + txtPhone.Text + " ,Status = " + status.Text + " where ID_Emp ="+txtMat.Text+" " ," Modified successfully ");
What you need to do is not use string concatenation for your SQL, instead use parameters.
Basic example using SqlClient but works with any provider.
What Karen said. The model you use is difficult, opens for SQL injection and has a number of more issues. Parameterised statements is the way to go.
@Soufiane Sahraoui, Welcome to Microsoft Q&A, I recommend that you use string.format to avoid that you missed single-quote in the string.
string query = "update TBL_Employees Set FName ='{0}' ,LName ='{1}' ,DateB='{2}', PlaceB='{3}', ID_C= '{4}', ID_S= '{5}',ID_Sec='{6}', ID_Grade = '{7}', DateInstall= '{8}', Credit='{9}', Adress= '{10}', Phone='{11}' ,Status = '{12}' where ID_Emp ='{13}' ";
string result = string.Format(query, txtFName.Text, txtLName.Text,.......) ;//-> you need to input 14 parameters here
I recommend that you use string.format to avoid that you missed single-quote in the string.
Please no. It does not solve the problem and it is still open for SQL injection. That is not a parameterised statement.
Sourfiance, first of all remove slash simbol in the dateformar string, like this : Date.Value.ToString("yyyyMMdd")
i hope that it help you.
greetings.
It's probably your input on the form.
You can try this sample below. Insert any new parameters you like, as I included only a few to make it short. It will also make your code more protected against SQL injection. (Note: I only assumed your SQL data types and length, you may change it as well as needed.)
private string updateEmployees(int ID_Emp)
{
// Create Instance of Connection and Command Object
SqlConnection myConnection = new SqlConnection("Your Connection String Goes Here");
SqlCommand myCommand = new SqlCommand();
try
{
// The Command
myCommand.Connection = myConnection;
myCommand.CommandType = CommandType.Text;
myCommand.CommandText = "UPDATE TBL_Employees Set FName=@FName, LName=@LName where ID_Emp=@ID_Emp";
SqlParameter myPara;
// Add Parameters
myPara = new SqlParameter("@ID_Emp", SqlDbType.Int, 8);
myPara.Value = ID_Emp;
myCommand.Parameters.Add(myPara);
myPara = new SqlParameter("@FName", SqlDbType.Char, 50);
myPara.Value = txtFName.Text;
myCommand.Parameters.Add(myPara);
myPara = new SqlParameter("@LName", SqlDbType.Char, 50);
myPara.Value = txtLName.Text;
myCommand.Parameters.Add(myPara);
myConnection.Open();
myCommand.ExecuteNonQuery();
return "Modified successfully";
}
catch (Exception ex)
{
//LOg Exception
return "Failed to Modify";
}
finally
{
if (myConnection.State != ConnectionState.Closed)
{
myConnection.Close();
myCommand.Dispose();
myConnection.Dispose();
}
}
}