Incorrect syntax near unclosed quotation mark after the character string

Question

1.00/5 (2 votes)

See more:

I am creating windows application using c# 2010, here i am using data grid view for billing purpose, once i am stored the values to database, and then after some time i am retrieve my first bill values and i am doing some changes and update the records for same bill number, but that time error is came.

this is for my update code

C#

using (SqlConnection connect = new SqlConnection(db.Connectionstring()))
          {
              using (SqlCommand command = new SqlCommand())
              {
                  string pro = "";
                  int qty;
                  int totqty;
                  command.Connection = connect;


                  command.CommandText = "update bill set staffid=staffid' and cstid='" + txtmobile.Text + "' and cstname='" + txtname.Text + "' and schemes='" + txtscheme2.Text + "' and counum='" + txtnum.Text + "' and date='" + txtdate.Text + "' and slno=slno, proname=proname, price=price, qty=qty, protax=protax, dis=dis, amt=amt where(recnum=@recnum)";










                  command.Parameters.Add(new SqlParameter("@staffid", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@cstid", SqlDbType.Int));
                  command.Parameters.Add(new SqlParameter("@cstname", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@schemes", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@counum", SqlDbType.VarChar));



                  command.Parameters.Add(new SqlParameter("@recnum", SqlDbType.Int));
                  command.Parameters.Add(new SqlParameter("@date", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@slno", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@proname", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@price", SqlDbType.Float));
                  command.Parameters.Add(new SqlParameter("@qty", SqlDbType.VarChar));
                  command.Parameters.Add(new SqlParameter("@protax", SqlDbType.Float));
                  command.Parameters.Add(new SqlParameter("@dis", SqlDbType.Float));
                  command.Parameters.Add(new SqlParameter("@amt", SqlDbType.Float));

                  command.Parameters.Add(new SqlParameter("@totamt", SqlDbType.Float));
                  command.Parameters.Add(new SqlParameter("@amtdis", SqlDbType.Float));
                  command.Parameters.Add(new SqlParameter("@finamt", SqlDbType.Float));


                  connect.Open();
                  foreach (DataGridViewRow row in dgvfind.Rows)
                  {
                      if (!row.IsNewRow)
                      {
                          command.Parameters["@staffid"].Value = txtstaff.Text;
                          command.Parameters["@cstid"].Value = txtmobile.Text;
                          command.Parameters["@cstname"].Value = txtname.Text;
                          command.Parameters["@schemes"].Value = txtscheme2.Text;
                          command.Parameters["@counum"].Value = txtnum.Text;

                          command.Parameters["@recnum"].Value = lblbill.Text;
                          command.Parameters["@date"].Value = txtdate.Text;



                          command.Parameters["@slno"].Value = row.Cells[0].Value;
                          command.Parameters["@proname"].Value = row.Cells[1].Value;
                          pro = row.Cells[1].Value.ToString();
                          command.Parameters["@price"].Value = row.Cells[2].Value;
                          command.Parameters["@qty"].Value = row.Cells[3].Value;
                          qty = Convert.ToInt32(row.Cells[3].Value);
                          command.Parameters["@protax"].Value = row.Cells[4].Value;
                          command.Parameters["@dis"].Value = row.Cells[5].Value;
                          command.Parameters["@amt"].Value = row.Cells[6].Value;

                          command.Parameters["@totamt"].Value = txt_netamount.Text;
                          command.Parameters["@amtdis"].Value = textBox3.Text;
                          command.Parameters["@finamt"].Value = textBox2.Text;



                         command.ExecuteNonQuery();

But error is came

C#

Incorrect syntax near ' and cstid='.
Unclosed quotation mark after the character string ' and slno=slno, proname=proname, price=price, qty=qty, protax=protax, dis=dis, amt=amt where(recnum=@recnum)'.

How to solve above error any one give me ideas.

What I have tried:

Incorrect syntax near Unclosed quotation mark after the character string

Posted 29-Jul-16 0:18am

Boopalslm

Updated 29-Jul-16 0:36am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2016-07-29T00:36:00

Well yes - your quotation marks don't make any sense!

C#

command.CommandText = "update bill set staffid=staffid' and cstid='"

But then, the whole SQL is wrong, and even if it wasn't it would bne extremely dangerous. Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

You've even got the code in there to add the parameters, but you don't use them at all!
Try:

C#

command.CommandText = "update bill set staffid=@staffid, cstid=@cstid, ...

And provide the parameters properly:

C#

command.Parameters.AddWithValue("@staffid", txtstaff.Text);
...

But do yourself (and your users) a favour: some of those are numeric values, so verify and convert the user inputs to the appropriate numeric value first before you try to pass them to SQL by using int.TryParse, double.TryParse, and so forth. If there is a problem, report it to the user instead of letting bad data to to the DB and hoping SQL rejects it.