Home > OS >  System.Data.SqlClient.SqlException: 'Incorrect syntax near the keyword 'where'.'
System.Data.SqlClient.SqlException: 'Incorrect syntax near the keyword 'where'.'

Time:01-24

the code is below and the error starting from sqlCommand cmd the 13th line of this code

private void button2_Click(object sender, EventArgs e)
{
   if (StudenUsn.Text == "" )
   {
      MessageBox.Show("Enter The Student Number");
   } else {
      Con.Open();
      String query = "update Student_tbl set StdName='"   StudName.Text   "',where FatherName='"   FtName.Text   "',where MotherName='"   MtName.Text   "',where StdAddress='"   Address.Text   "',where Collage ='"   Collage.Text   "'set StdRoom = "   StRmNum.SelectedValue.ToString() ",StdStatus = '"  StudSt.SelectedItem.ToString()   "' where StdUsn ='" StudenUsn  "')";
      SqlCommand cmd = new SqlCommand(query, Con);
      cmd.ExecuteNonQuery();
      MessageBox.Show("Room Successfully Updates");
      Con.Close();
      FillStudentDGV();
   }
}

CodePudding user response:

Your code should look more like:

private void button2_Click(object sender, EventArgs e)
{
   if (StudenUsn.Text == "" )
   {
      MessageBox.Show("Enter The Student Number");
   } else {
      Con.Open();
      String query = @"
update Student_tbl 
set 
  StdName=@sn,
  FatherName=@fn,
  MotherName=@mn,
  StdAddress=@sa,
  Collage=@c,
  StdRoom=@sr,
  StdStatus=@ss
where
  StdUsn=@su";

  SqlCommand cmd = new SqlCommand(query, Con);

  cmd.Parameters.AddWithValue(@sn, StudName.Text);
  cmd.Parameters.AddWithValue(@fn, FtName.Text);
  cmd.Parameters.AddWithValue(@mn, MtName.Text);
  cmd.Parameters.AddWithValue(@sa, Address.Text);
  cmd.Parameters.AddWithValue(@c, Collage.Text);
  cmd.Parameters.AddWithValue(@sr, StRmNum.SelectedValue);
  cmd.Parameters.AddWithValue(@ss, StudSt.SelectedItem);
  cmd.Parameters.AddWithValue(@su, StudenUsn);
      cmd.ExecuteNonQuery();
      MessageBox.Show("Room Successfully Updates");
      Con.Close();
      FillStudentDGV();
   }
}

There are good reasons to avoid using AddWithValue if you use SQLServer which you can get into at a later date if you want, but it's convenient for me (who doesn't know the types and widths of your columns) dealing with the current massive elephant in the room which is your SQL is massively vulnerable to a hacking technique known as sql injection (and to a lesser extent it would blow up with an error for any student whose name included an apostrophe) - using AddWithValue might make your query slightly slower, but better that than it be the cause of the next data breach; learn how to write SQLs right, right now

Never ever take data supplied by a user and concatenate it into an SQL string. Doing so essentially, in most cases, gives the user access to your database. So many big companies whose developers should know better, put up expensive firewalls and security and then let anyone in via this back door anyway; sql injection prone systems are one of the leading causes of hacks in the world today

Always use @parameter placeholders in the SQL for user data and add a parameter to the command's parameters collection, containing the data

Now on the topic of your actual error; the pattern for an update is

update table 
set col1=@param1, col2=@param2 ...
where (some conditions)

You have one where and one set. If there is some conditional aspect to your set, like you only want to update the student name/address if it is currently null then you can do like:

update table 
set 
  name=case when name is null then @n else name end,
  address=case when address is null then @a else address end
where (some conditions)

Or more simply

update table 
set 
  name=coalesce(name, @n)
  address=coalesce(address, @a)
where (some conditions)

You can't mix n match and say "where this=that where this2=that2 set this3=that3" - that's a syntax error. Where is for picking the row you want to update and set is for starting a block of commas separated columns and values the row data is to be updated to.

Strive to write your sql nicely formatted inside an @string; it's a programming language all of its own, and will be easier to debug if it's laid out nicely

CodePudding user response:

Can u try with it ?

String query = "update Student_tbl set StdName='"   StudName.Text   "',StdRoom = '"   StRmNum.SelectedValue.ToString() "',StdStatus = '"  StudSt.SelectedItem.ToString()   "' where FatherName='"   FtName.Text   "' and MotherName='"   MtName.Text   "' and StdAddress='"   Address.Text   "' and Collage ='"   Collage.Text   "' and StdUsn ='" StudenUsn  "'";

Page link:https//www.codepudding.com/os/274257.html

Prev:Async await method gets stuck
Next:How do I distribute a value across a list of integers, with a priority to fill the integers to a sof
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding