'Incorrect syntax near '.'.'

Question

        TextBox txtStatus = GridView1.Rows[e.RowIndex].FindControl("TextBox6") as TextBox;
        string strcn = ConfigurationManager.ConnectionStrings["dbconnection"].ConnectionString;
        SqlConnection con = new SqlConnection( strcn);
        con.Open();
        SqlCommand cmd = new SqlCommand("update Associate_Table set [Status] = @Status where [Associate ID] =+Convert.ToInt32(id.Text)", con);
        cmd.Parameters.AddWithValue("@Status", txtStatus.Text);
        int i = cmd.ExecuteNonQuery();
        
        con.Close();

plz help getting error. I have no idea what, I done here and the error is System.Data.SqlClient.SqlException: 'Incorrect syntax near '.'.'

Debug the code and you will see that the Sql you generate is incorrect. You are concatenating a string "+Convert.ToInt32(id.Text)" into the sql-clause. Also your code (when that is fixed) will be vulnerable to sql-injection. Please use parameters for each value, same way you use it with status. — Esko, Mar 16 '23 at 13:00

score 1 · Answer 1 · answered Mar 16 '23 at 13:01

Use the + sign only for concatenating string values. Update your code by following snippet.

SqlCommand cmd = new SqlCommand("update Associate_Table set [Status] = @Status where [Associate ID] = @AssociateID", con);
cmd.Parameters.AddWithValue("@Status", txtStatus.Text);
cmd.Parameters.AddWithValue("@AssociateID", Convert.ToInt32(id.Text));

score -1 · Answer 2 · answered Mar 16 '23 at 12:51

-1

Put aout the parameter from the query string...

Something like :

SqlCommand cmd 
   = new SqlCommand("update Associate_Table 
                     set [Status] = @Status where [Associate ID] = " 
                    + Convert.ToInt32(id.Text), con);

answered Mar 16 '23 at 12:51

SQLpro

3,994
1
6
14

'Incorrect syntax near '.'.'

2 Answers2