How to update a table using join in Visual Studio

Question

What's wrong?

SqlCommand cmd = new SqlCommand(@"Update       Perioada p join Client c on p.ID_Client = c.ID_Client
 SET  p.Date ='" + dateTimePicker1.Value.ToString("MM/dd/yyyy") + "' WHERE (c.CNP = '" + textBox1.Text + "')", con);
cmd.ExecuteNonQuery();

enter image description here

The syntax of your SQL statement is not correct. How to correct it will depend on which DB type you are using. See: http://stackoverflow.com/questions/1293330/how-can-i-do-an-update-statement-with-join-in-sql — jmoerdyk, Jan 05 '16 at 23:53
@Tim - actually, using parameterized queries is the correct way. As Harsh points out below, concatenated statements are ripe for SQL Injection attacks. — jmoerdyk, Jan 06 '16 at 00:02

Harsh · Accepted Answer · 2016-01-06T01:02:43.377

Assuming you are using SQL server (because you are using system.data.sqlclient), below is the correct syntax for update statement:

string sqlQuery = "Update p SET  p.Date =@dt from Perioada p join Client c on p.ID_Client = c.ID_Client WHERE (c.CNP = @cnp)"

using (SqlConnection con = new SqlConnection(connectionString))
{
    SqlCommand command = new SqlCommand(sqlQuery, con);
    command.Parameters.AddWithValue("@dt", dateTimePicker1.Value.ToString("MM/dd/yyyy"));
    command.Parameters.AddWithValue("@cnp", textBox1.Text);

    try
    {
        con.Open();
        command.ExecuteNonQuery();
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.Message);
    }
}

On a side note, you should use SqlParameter to pass input control's values to the sql server, instead of manually creating sql query with appended values. Your way of creating query is prone to SQL injection attack.

EDIT: Edited answer to depict a way to use parameterised query

It would be a much better answer in my opinion if you showed the OP doing it with `using() {} as well as Parameterized query` `+1` — MethodMan, Jan 06 '16 at 00:04

How to update a table using join in Visual Studio

1 Answers1