When this code runs, I get an UPDATE writing error. Does anybody know what the problem is, and how to fix it?
This is the code:
string sql2 = "UPDATE ezuser";
sql2 += " SET fname = '" + Request.Form["fname"]+ "'";
sql2 += " , lname = '" + Request.Form["lname"] + "'";
sql2 += " , fav = '" + Request.Form["fav"] + "'";
sql2 += " , pw = '" + Request.Form["pw"] + "'";
sql2 += " , order = '" + Request.Form["order"] + "'";
sql2 += " WHERE email = '" + Request.Form["email"] + "'";
MyAdoHelper.DoQuery(fileName, sql2);
Eventhough the question doesnt tell me much about the datatypes of columns, the only thing I could suspect here is the order column, which might be of integer datatype and you might be passing string to that.
Additional note: your code looks very much vulnerable to sql injections. Please take a look into that as well.
At least in SQL Server, order is a reserved keyword and needs to properly quoted if used literally as a column name. Like so:
sql2 += " , [order] = '" + Request.Form["order"] + "'";
As sabhari already mentioned, you need to learn about SQL Injection and how to properly guard against that. Research parametrized statements for the programming language you are using.
Related
I want to insert value locating particular column. I used following script.
"INSERT INTO tbl_user VALUES(UserID = '" + myUser.ID + "', UserName = '" + myUser.Name + "', Password = '" + myUser.Password + "', UserType = '" + myUser.Type + "')";
But it gives me the following error.
Incorrect syntax near '='.
There may some other way to do this task. But I want to do it in this way. Can I?
Always use parameterized query anyway correct your current attempt as below
"INSERT INTO tbl_user (UserID, UserName, UserName , UserType)
VALUES('" + myUser.ID + "','" + myUser.Name + "', '" + myUser.Password + "', '" + myUser.Type + "')";
RECOMMENDED Way is to Go with parameterized query always to prevent SQL Injection Attacks
SqlCommand cmd = new SqlCommand("INSERT INTO tbl_user (UserID, UserName, UserName , UserType)
VALUES (#UserID,...)", connections)
cmd.Parameters.AddWithValue("#UserID", myUser.ID)
...
No, you can't do it your way.
It is:
INSERT INTO table (column1_name,... ) VALUES (column1_value,...) ;
https://www.techonthenet.com/sql_server/insert.php
Incorrect syntax near '='
my code is
"update staff_Tables
set emp_id='" + txtEmployeeID.Text + "' ,
emp_sal='" + txtEmpSal.Text + "',
emp_name='" + txtEmployeeName.Text + "',
emp_Deignation='" + txtDesignation.Text + "',
Gender='" + cboGender.Text + "',
contactno='" + txtContact.Text + "',
Address='" + rtbAddress.Text + "',
Joining_Date='" + txtjoindate.Text + "'
where txtid=" + txtid.Text, sqlcon.getCon());
First, you should never concatenate sql queries like this.
Your query is extremely vulnerable to Sql Injection attacks.
Always use either stored procedures or parameterized queries.
Second, did you try to debug? judging by the column names, Emp_Id, Emp_Sal and contactno are probably numeric data and not strings, therefor the ' surrounding the values is wrong.
Your query should look like this:
"update staff_Tables
set emp_id = #emp_id,
emp_sal = #emp_sal,
emp_name = #emp_name,
emp_Deignation = #emp_Deignation,
Gender = #Gender,
contactno = #contactno,
Address = #Address,
Joining_Date = #Joining_Date
where txtid = #txtid"
and you add the parameter to the SqlCommand.Parameters collection like this:
cmd.Parameters.Add("#emp_id, SqlDBType.Int).Value = txtEmployeeID.Text
You probably have a single quote in one of your .Text values, fix by doubling them up, example:
Address='" + Replace(rtbAddress.Text, "'", "''") + "' vb
Address='" + rtbAddress.Text.Replace("'", "''") + "' #c
But yes, you are open to sql injection with this method of updating database.
I have a DataGridView and a searchbox where I can search for different dates in a certain column. Now since the date is formated as string he will give me the wrong order:
I type in 20 and get:
20.10.2014,
22.09.2014,
24.11.2014
and so on. I have read another thread here about this problem but the solutions didn't help me. My SQL statement looks like following:
DataTable datTable = new DataTable();
sqlCmd = new SqlCommand("SELECT ["+form1.timeBox.Text+ "] FROM [" + form1.getTableName() + "] WHERE convert(varchar(10),[" + form1.getTimeCol() + "],104) >= '" + form1.getFromDate().Trim() + "' ORDER BY convert(varchar(10),[" + form1.getTimeCol() + "],104) ASC", connection);
sqlDatAdapter = new SqlDataAdapter(sqlCmd.CommandText, connection);
sqlDatAdapter.Fill(datTable);
form1.setDataGrid = datTable;
and
form1.getFromDate()
is the function which grabs the entered string from the Textbox to search for. I tried to cast and convert to datetime and so on but it gets still shown in the wrong order. Can anyone help?
you are ordering by the formatted column; there is no need to do so and that is the part creating your problem.
i'm against string concatenation to build sql commands but your code should be rewritten as follows:
sqlCmd = new SqlCommand("SELECT ["+form1.timeBox.Text+ "] FROM [" + form1.getTableName() + "] WHERE convert(varchar(10),[" + form1.getTimeCol() + "],104) >= '" + form1.getFromDate().Trim() + "' ORDER BY " + form1.getTimeCol() + " ASC", connection);
nstead of using '>=' use 'Like' operator with '%' character at the end of your "form1.getFromDate().Trim()", which will give you the required result.
Using 'Like' your query will look like:
sqlCmd = new SqlCommand("SELECT ["+form1.timeBox.Text+ "] FROM [" + form1.getTableName() + "] WHERE convert(varchar(10),[" + form1.getTimeCol() + "],104) Like '" + form1.getFromDate().Trim() + "%' ORDER BY convert(varchar(10),[" + form1.getTimeCol() + "],104) ASC", connection);
I am trying to run this Query in my VB Application but receive an error saying:
unable to cast object of type 'system.string' to type 'system.iformatprovider'
SQL = "insert into billing_pdf_archive (reseller_sequence, invoice_number, pdf, worddoc, csv_cdr_file, csv_services_file, sub_total, vat_amount, grand_total, invoice_type, directdebit) values ('" + reseller.ToString + "','" + invoice_number.ToString + "', '" + Replace(reseller_company_name + "-" + invoice_number + ".pdf", " ", "_") + "', '" + Replace(reseller_company_name + "-" + invoice_number + ".doc", " ", "_") + "', '" + Replace(reseller_company_name + "-" + invoice_number.ToString + "_CDR.xlsx", " ", "_") + "', '" + Replace(reseller_company_name + "-" + invoice_number.ToString + "_Services.xlsx", " ", "_") + "', " + total.ToString("F2") + ", " + vat_amount.ToString("F2") + ", " + grand_total.ToString("F2") + ", 'Month End Reseller', '" + customer_direct_debit + "')"
conn3.ConnectionString = "server=" + global_variables.web_server_ip + "; user id=" + global_variables.web_server_username + "; password=" + global_variables.web_server_password + "; database=" + global_variables.web_server_database + "; "
conn3.Open()
myCommand3.Connection = conn3
myCommand3.CommandText = SQL
myCommand3.ExecuteNonQuery()
conn3.Close()
This is not a complete answer but I'll post it as an answer so that I can post formatted code. If you do as suggested in the comments and write clean, readable code then it will become obvious where the issue is and how to fix it. When you have one line that does lots of different things then working out what on that line is causing an issue is all but impossible. You should use an XML literal for your SQL code, parameters for your values and a connection string builder, e.g.
Dim sql = <sql>
INSERT INTO MyTable
(
Column1,
Column2
)
VALUES
(
#Column1,
#Column2
)
</sql>
command.CommandText = sql.Value
command.Parameters.AddWithValue("#Column1", value1)
command.Parameters.AddWithValue("#Column2", value2)
Dim builder As New SqlConnectionStringBuilder
builder.DataSource = server
builder.InitialCatalog = database
connection.ConnectionString = builder.ConnectionString
Now you'll be able to see exactly what part of your code is causing the issue and, if you still can't solve it yourself, will be able to point out where the issue is to us instead of expecting us to read that dog's breakfast.
I have written a c# code to update a MS Access table data, but it is showing an error "Syntax error in update statement".
string sql = "update Users set Name='" + txtUser_Name.Text + "',Password='"
+ txtPassword.Text + "'where Name='" + usr + "'";
Please tell me the right code.
Maybe this will work
string sql = "update Users set Name='" + txtUser_Name.Text +
"', Password='" + txtPassword.Text + "' where Name='" + usr + "'";