Syntax error in UPDATE statement

Question

0.00/5 (No votes)

See more:

C#

GridViewRow row = (GridViewRow)ResultGridView.Rows[e.RowIndex];
        Label lbl = (Label)row.FindControl("lblid");
        TetBox txextname = (TextBox)row.FindControl("textbox1");
        TextBox textmarks = (TextBox)row.FindControl("textbox2");
        ResultGridView.EditIndex = -1;
                conn.Open();

               OleDbCommand cmd = new OleDbCommand("update db1 set Names='" + textname.Text + "' , Number='" + textmarks.Text + "' where Id='" + lbl.Text + "'",conn);
                //.CommandText = "Update StudentRecord set Name='" + txtname.Text + "',ClassName='" + txtclassname.Text + "',RollNo='" + txtrollno.Text + "',EmailId='" + txtemailid.Text + "' where StId='" + lblstid.Text + "'";

                cmd.CommandType = CommandType.Text;
               OleDbDataAdapter da = new OleDbDataAdapter(cmd);
                cmd.CommandType = CommandType.Text;

        cmd.ExecuteNonQuery();

       
        conn.Close();
        bind();

Posted 21-Jul-14 20:08pm

Member 10959710

Updated 21-Jul-14 21:09pm

CPallini

v2

Add a Solution

Comments

Maarten Kools 22-Jul-14 3:26am

I suggest to strip the statement until it works,and from there try to determine what exactly is causing the problem. For now, I suggest instead of building the query the way you're doing now to use prepared statements[^]. This has a couple of advantages, one of them is security and the other is that you don't have to bother with determining datatypes and escaping your input. If I had to take a guess at why the update statement fails, I would think it's because the input has a quote in it. Again, using prepared statements will fix this.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Bernhard Hiller · Answer 1 · 2014-07-22T02:14:00

Solution 1

Concatenating the SQL query with its values is a very good idea to provoke SQL Injection Attacks.
But using parameterized queries instead, such problems like yours are also solved. - I guess you get the error with names ike O'Connor?

Posted 22-Jul-14 2:14am

Bernhard Hiller