Please, please read the following article:
Understanding SQL Injection and Creating SQL Injection Proof ASP.NET Applications[
^]
I've corrected your code. Not 100% the best way but at least you won't get sql injection issues.
private void btnUpdate_Click(object sender, EventArgs e) {
try {
if (txtempid.Text == "") {
MessageBox.Show("Enter Employee Id To Update");
}
else {
var sql = "Update EmployeeDetails SET " +
"EmpName=@EmpName," +
"EmpDesgn=@EmpDesgn ," +
"EmpSalary=@EmpSalary " +
"where EmpId=@EmpId";
using (SqlCommand cmdupdate = new SqlCommand(sql, con)) {
cmdupdate.Parameters.AddWithValue("@EmpName", txtEmpName.Text);
cmdupdate.Parameters.AddWithValue("@EmpDesgn", txtEmpDegn.Text);
cmdupdate.Parameters.AddWithValue("@EmpSalary", txtSalary.Text);
cmdupdate.Parameters.AddWithValue("@EmpId", txtempid.Text);
cmdupdate.CommandType = CommandType.Text;
con.Open();
cmdupdate.ExecuteNonQuery();
MessageBox.Show("Data Updated");
}
}
}
catch (Exception ex) {
MessageBox.Show(ex.Message);
}
finally {
if (con.State == ConnectionState.Open) {
con.Close();
}
}
}