can any one tell me where exactly the error int this piece of c# code?

Question

md.CommandText = "select * from HFour where ID=" + id[num];
SqlDataReader re = cmd.ExecuteReader();

if (re.HasRows)
{
    while (re.Read())
    {
        oldvalue.ID = Convert.ToInt32(re[0]);
        oldvalue.Name = re[1].ToString();
        oldvalue.Description = re[2].ToString();
        oldvalue.SourceID = re[3].ToString();
        if (re[4] !=DBNull.Value)
        {
            oldvalue.SourceTypeID = Convert.ToInt32(re[4]);
        }
        else
        { 
        }
        oldvalue.CreatedOn = Convert.ToDateTime(re[5]);
        oldvalue.CreatedBy = re[6].ToString();
        if (re[7] != DBNull.Value)
        {
            oldvalue.ModifiedOn = Convert.ToDateTime(re[7]);
        }
        oldvalue.ModifiedBy = re[8].ToString();
        oldvalue.HThreeID =                                    Convert.ToInt32(re[9].ToString());
        oldvalue.IsActive = Convert.ToBoolean(re[10].ToString());
    }
    re.Close();

string command = "update HFour set Name='" + oldvalue.Name + "'," +
                 "Description='" + oldvalue.Description + "'," + 
                 "SourceID='" + oldvalue.SourceID + "'," + "SourceTypeID=" + 
                  oldvalue.SourceTypeID + "," + "CreatedOn='" + 
                  oldvalue.CreatedOn + "'," + "CreatedBy='" + 
                  oldvalue.CreatedBy + "'," + "ModifiedBy='" + 
                  oldvalue.ModifiedBy + "'," + "ModifiedOn='" +  
                  oldvalue.ModifiedOn + "'," + "HThreeID=" + 
                  oldvalue.HThreeID + "," + "IsActive='" + 
                  oldvalue.IsActive + "' where ID=" + id[num];
cmd.CommandText = command;
int reed = cmd.ExecuteNonQuery();

and the error is the following:

An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code

Additional information:

Incorrect syntax near ','

any suggestion would greatly appreciated

[What is SQL injection?](http://stackoverflow.com/questions/601300/what-is-sql-injection) — Martin Liversage, Mar 02 '16 at 07:08
Hello to SO. I hope you see now how important is the formatting of your question. Please read the section how we write a well formed question in SO. This way it would be clear to the readers of the question what is the problem. — Christos, Mar 02 '16 at 07:09
You should really consider parameterizing that query. Not much effort and security gains are enormous considering what you have now. — scheien, Mar 02 '16 at 07:10
You should debug and check what the actual sql generated is. (the value in the command-string) — andreasnico, Mar 02 '16 at 07:12

score 3 · Accepted Answer · edited Mar 02 '16 at 07:27

The problem is in the command you build. It is not well formed.

However there is a much more serious problem with this code. It is vulnerable to SQL injection. You have to build a parameterized query, in order to avoid it, like below:

string command = "UPDATE HFour SET Name=@Name, Description=@Description"; 
command.Parameters.Add(new SqlParamter("@Name",oldvalue.Name));
command.Parameters.Add(new SqlParamter("@Description",oldvalue.Description));

Apparently, the same holds also for the first sql query.

"select * from HFour where ID=" + id[num];

You will have to make also this a parameterized query.

can any one tell me where exactly the error int this piece of c# code?

1 Answers1