ERROR : The multi-part identifier could not be bound, c# console Application

Question

SqlConnection cn = new SqlConnection("user id=ID;" +
                       "password=PASS;server=svr;" +
                       "Trusted_Connection=no;" +
                       "database=db; " +
                       "connection timeout=30");
                       cn.Open();
            SqlCommand command1 = new SqlCommand();

            command1.Connection = cn;
                     Console.WriteLine(ListofOrders.Count);
              for (int i = 0; i < ListofOrders.Count; i++)
                 command1.CommandText += string.Format("update table set Status='Expired' where GUID={0};", ListofOrders[i].ToString());

            command1.ExecuteNonQuery();
                    // LogicHandler.UpdateActiveOrders();
            Console.WriteLine("DONE", ConsoleColor.Cyan);

Getting error at this step: command1.ExecuteNonQuery(); Error Message: The multi-part identifier could not be bound.

What i am trying here is I am running a select query and getting that data into the ListofOrders list from that I wanna run the update to those data in the list.

Please help

Answer 1

If you use a Reserved Keyword like table you have to wrap it in square brackets: [table]. But it would be better to not use them in the first place.

I guess you need to wrap the Guid with apostrophes like in GUID='{0}'. Howver, you should use sql-parameters instead of string concatenation, always. That prevents also sql-injection.

string update = @"update tablename -- or [Table] but i wouldnt do that
                  set Status='Expired' 
                  where GUID=@GUID";
command1.CommandText = update;
command1.Parameters.Add("@GUID", SqlDbType.UniqueIdentifier).Value = new Guid(ListofOrders[i].ToString());

As an aside, why have you used command1.CommandText += instead of just command1.CommandText =? That is at least confusing, if you reuse the command it could also cause errors.