Reputation: 885
Editing data into SQL with C#
I have this method for Editing data but I don't know how to write the code... Until now I have this which I don't really understand and I have an error in it. It says incorrect syntax near '('.
public void EditMember(Member member)
{
string Name = member.Name;
string Surname = member.Surname;
string EntryDate = member.EntryDate.ToString("dd.MM.yyyy");
string Status = member.Status;
sqlConnection.Open();
sqlCommand = new SqlCommand(
"UPDATE Members SET (Name, Surname, EntryDate) VALUES('" + Name + "','" + Surname + "','" + EntryDate + "')' WHERE'(' Id '='" + member.Id + "')",
sqlConnection);
sqlCommand.ExecuteNonQuery();
sqlConnection.Close();
}
The problem is when I start to write WHERE
Help please.
Upvotes: 0
Views: 265
Answers (6)
Reputation: 2192
Edit the post to make correct answer:
i.e. you don't need brackets in where clause. And yes the better query is
"UPDATE Members SET Name=@Name, Surname=@Surname, EntryDate=@EntryDate WHERE Id=@ID"
and then you add @Name, @Surname, .. etc through parameter of command object.
Upvotes: -1
Reputation: 9074
Your code has syntax error for update and also SQLInjection issue.
You need to pass parameters to update query rather than passing direct values.
It should be as follows:
public void EditMember(Member member)
{
string Name = member.Name;
string Surname = member.Surname;
string EntryDate = member.EntryDate.ToString("dd.MM.yyyy");
string Status = member.Status;
sqlConnection.Open();
sqlCommand = new SqlCommand("UPDATE Members SET Name=@Name, Surname=@Sirname, EntryDate=@EntryDate WHERE Id = @id", sqlConnection);
sqlCommand.parameters.AddparameterWithValue("@Name",Name);
sqlCommand.parameters.AddparameterWithValue("@Surname",Surname);
sqlCommand.parameters.AddparameterWithValue("@EntryDate",EntryDate);
sqlCommand.parameters.AddparameterWithValue("@Id",Id);
sqlCommand.ExecuteNonQuery();
sqlConnection.Close();
}
Upvotes: 0
Reputation: 1499860
Please read all of this answer, not just the first part
There are multiple issues here. The most immediate problem is here:
"')' WHERE'('
That's acting as if you're trying to quote the bracket. That "should" be:
"') WHERE ('
At that point it would look like a valid (but bad) INSERT command... but your use of VALUES which doesn't look like it's a valid way of updating in T-SQL anyway.
However, you shouldn't use this approach at all. It's error-prone, hard to read, and most importantly prone to SQL injection attacks.
Instead, you should use parameterized SQL:
string sql = @"UPDATE Members
SET Name = @Name, Surname = @Surname, EntryDate = @EntryDate
WHERE Id = @Id";
using (var connection = new SqlConnection(...))
{
connection.Open();
using (var command = new SqlCommand(sql, connection))
{
command.Parameters.Add("@Name", SqlDbType.NVarChar).Value = member.Name;
command.Parameters.Add("@Surname", SqlDbType.NVarChar).Value = member.Surname;
command.Parameters.Add("@EntryDate", SqlDbType.DateTime).Value = member.EntryDate;
command.Parameters.Add("@Id", SqlDbType.NVarChar).Value = member.Id;
int rows = command.ExecuteNonQuery();
// TODO: Work out what to do if rows isn't 1
}
}
(With adjustments for the appropriate data types, of course.)
Upvotes: 3
Reputation: 216253
The correct syntax for an update statement is
"UPDATE Members SET Name = @name, Surname = @surname, EntryDate = @date WHERE id=@id"
Said that, you should use parameterized query like this
public void EditMember(Member member)
{
string Name = member.Name;
string Surname = member.Surname;
string EntryDate = member.EntryDate.ToString("dd.MM.yyyy");
string Status = member.Status;
sqlConnection.Open();
sqlCommand = new SqlCommand("UPDATE Members SET Name = @name, Surname = @surname, " +
"EntryDate = @date " +
"WHERE Id = @id", sqlConnection);
sqlCommand.Parameters.AddWithValue("@name", Name);
sqlCommand.Parameters.AddWithValue("@surname", Surname);
sqlCommand.Parameters.AddWithValue("@date", EntryDate);
sqlCommand.Parameters.AddWithValue("@id", Status);
sqlCommand.ExecuteNonQuery();
sqlConnection.Close();
As a side note, keep in mind that AddWithValue is a simple way to add parameters to you query, but if the perfomance of this query is critical it is better to use a fully defined parameter with the datatype that matches exactly your database column's type and with the exact size.
Upvotes: 1
Reputation: 754268
You should NEVER EVER concatenate together your SQL statements with user input.
Instead : use parametrized queries - they're easy to use, avoid SQL injection, and improve performance.
Try code something like this:
string updateStmt = "UPDATE dbo.Members SET Name = @Name, Surname = @Surname, EntryDate = @EntryDate WHERE Id = @ID";
sqlCommand = new SqlCommand(updateStmt, sqlConnection);
sqlCommand.Parameters.Add("@Name", SqlDbType.VarChar, 100).Value = name;
sqlCommand.Parameters.Add("@Surname", SqlDbType.VarChar, 100).Value = surname;
sqlCommand.Parameters.Add("@EntryDate", SqlDbType.DateTime).Value = entrydate;
sqlCommand.Parameters.Add("@ID", SqlDbType.Int).Value = member.Id;
sqlConnection.Open();
sqlCommand.ExecuteNonQuery();
sqlConnection.Close();
Upvotes: 1
Reputation: 5265
Remove the quotes from around the WHERE and you should be fine. Please heed the warnings given in the comments about SQL injection attacks.
Upvotes: 0
Related Questions
- Editing an SQL database record using C#
- Update SQL data table in c#?
- C# Edit row in SQL
- Edit existing data in SQL Server database
- Update Data Method in C# for a SQL Server Database
- Updating information in database
- Update SQL table through C# code
- Update Existing Records with SQL
- How can I edit data after reading it from database?
- Editing a row in DB