Incorrect syntax near the keyword 'where'.

Question

0.00/5 (No votes)

See more:

I am develop windows application using c# 2010, i am try to update my data base values using update query, but error is came

Incorrect syntax near the keyword 'where'.

this is for my update code

C#

SqlConnection con1 = new SqlConnection(db.Connectionstring());
                   con1.Open();
                   SqlCommand cmmds = new SqlCommand("update pqsub set quantity=quantity+" + txtqty.Text + "  where kuligai='" + txtkuligai.Text + "' and color ='" + txtcolor.Text + "' and meters='" + txtmeter.Text + "' ", con1);
                   cmmds.ExecuteNonQuery();
                   con1.Close();

any one give me ideas.

What I have tried:

Incorrect syntax near the keyword 'where'.

Posted 29-Jul-16 21:38pm

Boopalslm

Updated 29-Jul-16 22:04pm

Add a Solution

Comments

Boopalslm 30-Jul-16 3:55am

I got answer..... Any one thanks to try my error.

Karthik_Mahalingam 30-Jul-16 3:58am

good,
btw use Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2016-07-29T22:04:00

The important thing is: don't do it like that.
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Fixing that will also fix the problem you have noticed...

C#

using (SqlConnection con1 = new SqlConnection(db.Connectionstring()))
   {
   con1.Open();
   string strSQL = "UPDATE pqsub SET quantity=@QTY WHERE kuligai=@KUL AND color=@COL AND meters=@MET";
   using (SqlCommand cmmds = new SqlCommand(strSQL, con1))
      {
      cmmds.Parameters.AddWithValue("@QTY", txtqty.Text);
      cmmds.Parameters.AddWithValue("@KUL", txtkuligai.Text);
      cmmds.Parameters.AddWithValue("@COL", txtcolor.Text);
      cmmds.Parameters.AddWithValue("@MET", txtmeter.Text);
      cmmds.ExecuteNonQuery();
      }
   }

But if any of those are supposed to be numerical values, you should always check and convert them to an appropriate number variable type using TryParse and pass the number instead. If you start trying to pass user input numbers direct to your DB you are in for a world of pain later on!