I am getting this error while executing update query in visual studio 2012

Question

Incorrect syntax near '='

my code is

"update staff_Tables 
 set emp_id='" + txtEmployeeID.Text + "' , 
     emp_sal='" + txtEmpSal.Text + "', 
     emp_name='" + txtEmployeeName.Text + "',
     emp_Deignation='" + txtDesignation.Text + "',
     Gender='" + cboGender.Text + "',
     contactno='" + txtContact.Text + "',
     Address='" + rtbAddress.Text + "',
     Joining_Date='" + txtjoindate.Text + "' 
 where txtid=" + txtid.Text, sqlcon.getCon());

Welcome to stackoverflow. I've edited your question to improve the format. Please read [ask]. — Zohar Peled, May 30 '15 at 16:39

score 1 · Answer 1 · answered May 30 '15 at 16:48

First, you should never concatenate sql queries like this. Your query is extremely vulnerable to Sql Injection attacks.

Always use either stored procedures or parameterized queries.

Second, did you try to debug? judging by the column names, Emp_Id, Emp_Sal and contactno are probably numeric data and not strings, therefor the ' surrounding the values is wrong.

Your query should look like this:

"update staff_Tables 
 set emp_id = @emp_id, 
     emp_sal = @emp_sal, 
     emp_name = @emp_name,
     emp_Deignation = @emp_Deignation,
     Gender = @Gender,
     contactno = @contactno,
     Address = @Address,
     Joining_Date = @Joining_Date 
 where txtid = @txtid"

and you add the parameter to the SqlCommand.Parameters collection like this:

cmd.Parameters.Add("@emp_id, SqlDBType.Int).Value = txtEmployeeID.Text

score 1 · Answer 2 · answered May 30 '15 at 17:08

You probably have a single quote in one of your .Text values, fix by doubling them up, example:

Address='" + Replace(rtbAddress.Text, "'", "''") + "' vb
Address='" + rtbAddress.Text.Replace("'", "''") + "' #c

But yes, you are open to sql injection with this method of updating database.

I am getting this error while executing update query in visual studio 2012

2 Answers2