You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE 'btechstudent_academics' SET 'Tenth'=93,'Twelveth'=80,'Di

Question

1.00/5 (1 vote)

See more:

i am trying to update my database the above error appears..please suggest me what to do..error is
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE 'btechstudent_academics' SET 'Tenth'=93,'Twelveth'=80,'Diploma'=0,'Gradua' at line 1"

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using MySql.Data.MySqlClient;
using System.IO;

public partial class BtechSrtudentUpdate : System.Web.UI.Page
{
    MySqlConnection conn1 = new MySqlConnection("Server=localhost;Database=test;Uid=root;Pwd=1234");
    MySqlConnection conn2 = new MySqlConnection("Server=localhost;Database=test;Uid=root;Pwd=1234");
    string r=" ";
    protected void Page_Load(object sender, EventArgs e)
    {
         r = Request.QueryString["regd"];
         Label2.Text = r;
        TextBoxtRegd.Text = Request.QueryString["regd"];
        TextBoxName.Text = Request.QueryString["name"];
        txtDate.Text = Request.QueryString["Dob"];
        TextBoxBatch.Text = Request.QueryString["Batch"];
        TextBoxEmail.Text = Request.QueryString["Email"];
        TextBoxMobile.Text = Request.QueryString["mobile"];
        TextBoxParentName .Text  = Request.QueryString["pname"];
        TextBoxParentNumber.Text = Request.QueryString["pno"];
        Branch .SelectedValue  = Request.QueryString["Branch"];
        TextBoxTenth.Text = Request.QueryString["Tenth"];
        TextBoxTwelveth.Text = Request.QueryString["Twelveth"];
        TextBoxDiploma.Text = Request.QueryString["dip"];
        TextBoxGraduation.Text = Request.QueryString["grad"];
        TextBoxBtech.Text = Request.QueryString["btech"];
        TextBoxYeargap.Text = Request.QueryString["yeargap"];
        TextBoxBacklog.Text = Request.QueryString["backlog"];
        TextBoxSkills.Text = Request.QueryString["Skills"];
        
    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        
        string r = Request.QueryString["regd"]; 
        conn1.Open();
        //conn2.Open();
        Label2.Text = " "+TextBoxName.Text +" "+TextBoxTwelveth .Text ;
        Label2.Visible = true;
        string sql2 = "(UPDATE 'btechstudent_academics' "+"SET 'Tenth'=" + Convert.ToDouble(TextBoxTenth.Text) + ",'Twelveth'=" + Convert.ToDouble(TextBoxTwelveth.Text) + ",'Diploma'=" + Convert.ToDouble(TextBoxDiploma.Text) + ",'Graduation'=" + Convert.ToDouble(TextBoxGraduation.Text) + ",'Btech'=" + Convert.ToDouble(TextBoxBtech.Text) + ",'Yeargap'=" + Convert.ToInt32(TextBoxYeargap.Text) + ",'Backlog'=" + Convert.ToInt32(TextBoxBacklog.Text) + ",'Skills'='" + TextBoxSkills.Text + "' where [Regd_no]='"+TextBoxtRegd .Text +"')";
      //  string sql1 = "(UPDATE btechstudent_details SET [Sname]='" + TextBoxName.Text + "',[DOB]='" + txtDate.Text + "',[Batch]=" + Convert.ToInt16(TextBoxBatch.Text) + ",[Email]='" + TextBoxEmail.Text + "',[Phone]='" + TextBoxMobile.Text
          //  + "',[Parents_name]='" + TextBoxParentName.Text + "',[Parents_Number]='" + TextBoxParentNumber.Text + "',[Branch]='"+Branch.SelectedItem .ToString () +"' WHERE [Regd_no]='"+ TextBoxtRegd.Text   +"')";
       // string sql2 = "(update btechstudent_academics where Regd_no='" + TextBoxtRegd.Text + "')";
       
        
        MySqlCommand cmd2 = new MySqlCommand(sql2, conn1);
        //MySqlCommand cmd2 = new MySqlCommand(sql2, conn2);
        try
        {
            Response.Write("HI");
            cmd2.ExecuteNonQuery();

            
        }
        catch (Exception x)
        { Label1.Text = " " + x.Message; }
        finally
        {
            conn1.Close();
        }
        
    }
    protected void TextBox1_TextChanged(object sender, EventArgs e)
    {

    }
    protected void TextBoxBacklog_TextChanged(object sender, EventArgs e)
    {

    }
    protected void TextBoxTenth_TextChanged(object sender, EventArgs e)
    {

    }
    protected void TextBox9_TextChanged(object sender, EventArgs e)
    {

    }
}

Posted 9-Mar-15 10:46am

Somesh Dhal

Updated 10-Mar-15 1:01am

RajeeshMenoth

v2

Add a Solution

Comments

Richard Deeming 9-Mar-15 17:00pm

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

manchanx · Answer 1 · 2015-03-09T10:57:00

Solution 1

I urge you to stop building SQL-Statements the way you did there:

- Column values as literals in SQL-Statements lead to errors like the one you experience here.

- Column values as literals in SQL-Statements open the door for SQL-Injection-Attacks.

- Concatenating SQL-Statements makes them hard to read and maintain. In your case above, near impossible.

Instead, use SQL-Parameters. Simple Example here.[^]

I would suggest you do that and if you then still get the same error, come back and ask again. But post the whole SQL-Statement then - the excerpt you're showing here doesn't allow for identifying the error.

edit:

I think the cause of the error is this: Identifiers (e.g. table or column names) in SQL-Statements for MySQL have to be quoted using "back-ticks": `
Or, if the option ANSI_QUOTES is enabled, with double-quotes: "
You're using the single-quote for the table name: 'btechstudent_academics'
So I think it should work with `btechstudent_academics` or if not, then with "btechstudent_academics"

For further reading, see here: Schema Object Names[^]

Posted 9-Mar-15 10:57am

manchanx

Updated 10-Mar-15 0:57am

v2

Comments

Somesh Dhal 10-Mar-15 0:06am

I HAVE DONE As u said bt same error saying ..
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''btechstudent_academics' set Tenth=@Tenth Where Regd_no=@Regd_no' at line 1"
the code-
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using MySql.Data.MySqlClient;
using System.IO;

public partial class BtechSrtudentUpdate : System.Web.UI.Page
{
MySqlConnection conn1 = new MySqlConnection("Server=localhost;Database=test;Uid=root;Pwd=1234");

string r=" ";
protected void Page_Load(object sender, EventArgs e)
{

TextBoxtRegd.Text = Request.QueryString["regd"];

TextBoxTenth.Text = Request.QueryString["Tenth"];

}
protected void Button1_Click(object sender, EventArgs e)
{
string Regd_no;
Double Tenth;
Regd_no = TextBoxtRegd.Text;
Tenth = Convert.ToDouble(TextBoxTenth.Text);

conn1.Open();
string sql2 = "UPDATE 'btechstudent_academics' set Tenth=@Tenth" + " Where Regd_no=@Regd_no;";
MySqlCommand cmd2 = new MySqlCommand(sql2, conn1);
MySqlParameter param = new MySqlParameter("@Tenth",MySqlDbType.Double );
param.Value = Tenth;
cmd2.Parameters.Add(param );
MySqlParameter param1 = new MySqlParameter("@Regd_no", MySqlDbType.VarChar,10);
param.Value = Regd_no ;
cmd2.Parameters.Add(param1);

try
{
Response.Write("HI");
cmd2.ExecuteNonQuery();

Response.Write("HI2");
}
catch (Exception x)
{ Label1.Text = " " + x.Message; }
finally
{
conn1.Close();
}

}
protected void TextBox1_TextChanged(object sender, EventArgs e)
{

}
protected void TextBoxBacklog_TextChanged(object sender, EventArgs e)
{

}
protected void TextBoxTenth_TextChanged(object sender, EventArgs e)
{

}
protected void TextBox9_TextChanged(object sender, EventArgs e)
{

}
}

[no name] 10-Mar-15 6:55am

It's great that you followed my suggestion. I guess you can see that it leads to much clearer code, apart from its other benefits.

I've updated the solution above. Please take a look and if it solves your problem, please accept the anwer :-)