0

is this syntax wrong? is it possible that I can't use

where... and...

string str = "UPDATE meetings SET caseNum='" + mt.caseNum + "' ,place='" + mt.place + "' ,MeetingDate='"
                + mt.MeetingDate + "' ,betMishpat='" + mt.betMishpat + "', time='"+mt.time+"' ,description='"+mt.description+"' , " +
                "client='"+mt.client+"' WHERE caseNum='"+mt.caseNum+"' and time='"+mt.time+"' and place ='"+mt.place+"' ";

when ever i try to update i get the message that there is a syntax error

fady abo swees
  • 51
  • 1
  • 3
    Is the syntax "wrong"? Well, in a sense . . . you are sticking literal values into a query string rather than using parameters. In most context, that is quite wrong. – Gordon Linoff Jun 01 '21 at 22:12
  • So, how can I update a query with multiple "where" conditions without parameters? – fady abo swees Jun 01 '21 at 22:18
  • 2
    The update query string you're building this way is prone to sql injection attacks so it's in that sense that it's wrong. You should use something like `SqlCommand` to build your queries, like in this question: https://stackoverflow.com/questions/9433148/generating-sql-queries-safely-in-c-sharp – Arca Artem Jun 01 '21 at 22:23
  • 4
    Could you include the actual message? Do you get the error at compile time, or at run time? You should read up on _SQL Injection_ and the story of _Little Bobby Tables_ (https://bobby-tables.com). Also consider getting your query working in SQL Server Management Studio (SSMS).before using it in a C# program – Flydog57 Jun 01 '21 at 22:24

0 Answers0