-3

How to put two conditions at the where clause. "Class_ID" is one of the condition

pendinglist.CommandText = " UPDATE Pending_List set room_status =" +
    "Still Pending" ; " Where Class_ID =
Tim Biegeleisen
  • 502,043
  • 27
  • 286
  • 360
Jee Hong
  • 13
  • 6
  • 2
    ...and what is the other condition? You just want `WHERE Class_ID = AND other_column = `. And you should read about prepared statements. – Tim Biegeleisen Jun 08 '18 at 01:50
  • What is going on with your query string? You have weird concatenations for no reason, a wayward semi-colon, an unterminated string...I feel like a bot posted this question. – itsme86 Jun 08 '18 at 01:54
  • you just have to concat strings and yes what is going on with your query string? – Nouman Bhatti Jun 08 '18 at 02:07
  • Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – mjwills Jun 08 '18 at 03:45

2 Answers2

0

You should use and at where clause:

   pendinglist.CommandText = " UPDATE Pending_List set room_status =" +
  "'Still Pending'" + " Where Class_ID = "+ "[your_id]" + " and room_status 
!= 'Still Pending'"
Filipe Ferreira
  • 61
  • 4
0

Please find the below code using Prepared Statements to create a prepared version of the command on an instance of SQL Server.

private static void SqlCommandPrepareEx(string connectionString)
{
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        connection.Open();
        SqlCommand command = new SqlCommand(null, connection);

        // Create and prepare an SQL statement.
        command.CommandText =
            "UPDATE Pending_List set room_status=@roomStatus " +
            "WHERE Class_ID=@classId AND Other=@Other";
        SqlParameter classIdParam = new SqlParameter("@classId", SqlDbType.Int, 0);
        SqlParameter OtherParam = new SqlParameter("@OtherParameter", SqlDbType.Int, 0);
        SqlParameter roomStatusParam = 
            new SqlParameter("@roomStatus", SqlDbType.Text, 100);
        classIdParam.Value = 1;
        roomStatusParam.Value = "Still Pending";
        otherParam.Value = 10;
        command.Parameters.Add(classIdParam);
        command.Parameters.Add(roomStatusParam);
        command.Parameters.Add(otherParam);

        // Call Prepare after setting the Commandtext and Parameters.
        command.Prepare();
        command.ExecuteNonQuery();    
    }
}
vCillusion
  • 1,749
  • 20
  • 33