CODEWITHSUNDEEP
c#sqlsql-serverwebformsado.net
Wolfish
Wolfish

Reputation: 970

SQL Syntax error in C# string

I'm running a query from a web form to update records. Since I'm just learning about C#, I'm using a command string as opposed to a stored procedure.

My update method is as follows:

public void updateOne()
    {
        string commandText = "update INVOICE SET <Redacted> = @<Redacted>, 
                    Supplier = @Sup, SupplierName = @SupN, NetTotal = @Net, 
                              VATTotal = @VAT, InvoiceDate = @InvDt "
       <needed a line break here, which is why I split the string again> 
                              + "WHERE K_INVOICE = @K_INV";

        using (SqlConnection dbConnection = new SqlConnection
                                                    (conParams.connectionString))
        {
            SqlCommand cmd = new SqlCommand(commandText, dbConnection);
            cmd.Parameters.Add("@K_INV", SqlDbType.Int);
            cmd.Parameters["@K_INV"].Value = @K_INV;

            cmd.Parameters.AddWithValue("@<Redacted>", @<Redacted>.ToString());
            cmd.Parameters.AddWithValue("@Sup", @Sup.ToString());
            cmd.Parameters.AddWithValue("@SupN", @SupN.ToString());
            cmd.Parameters.AddWithValue("@Net", @Net.ToString());
            cmd.Parameters.AddWithValue("VAT", @VAT.ToString());
            cmd.Parameters.AddWithValue("@InvDt", @InvDt.ToString());

            try
            {
                dbConnection.Open();
                cmd.ExecuteNonQuery();
            }
            catch (Exception e)
            {
                errorString = e.Message.ToString();
            }
        }
    }

Catch stalls on an SQL error (Incorrect syntax near SET), and I have an idea that the issue occurs because I convert the parameters to strings. The first parameter is an Int, which should be OK.

If this is the case, what should I convert the parameters to? If not, what on earth is wrong?

Upvotes: 1

Views: 1522

Answers (2)

marc_s
marc_s

Reputation: 754388

I would recommend you read this blog article on the dangers of .AddWithValue():

Instead of 

cmd.Parameters.AddWithValue("@Sup", @Sup.ToString());

you should use

cmd.Parameters.Add("@Sup", SqlDbType.VarChar, 50).Value = ...(provide value here)..;

(is your variable in C# really called @SupN ?? Rather unusual and confusing....)

I would recommend to always define an explicit length for any string parameters you define

Upvotes: 1

Felipe Oriani
Felipe Oriani

Reputation: 38598

Try to add a @ before the string to escape the breaklines, for sample:

string commandText = @"update INVOICE SET [Redacted] = @Redacted, 
                    Supplier = @Sup, SupplierName = @SupN, NetTotal = @Net, 
                              VATTotal = @VAT, InvoiceDate = @InvDt "
                              + "WHERE K_INVOICE = @K_INV";

In parameterName argument you can add the @ but the value not, just the variable, for sample

cmd.Parameters.AddWithValue("@Redacted", redacted.ToString());

Try to execute this query in the databse with some values to check if everything is correct. You could use [brackets] in the table name and column names if you have a reserved word.

Upvotes: 3

Related Questions