Reputation: 61
Incorrect Syntax Near "("
So I was trying to do Update my database using buttons in VB.Net. I tried following different syntax in Updating tables but it still come up with the same error. It is so frustrating because we are running out of time to finish our system because of this. Please help me :'(
So this is my code wherein it will called after the button is clicked. What is wrong with my syntax here?
Public Sub UpdateClient(Client_ID As Integer, _ClientName As String, _Company_Add As String, _Email_Add As String,
_Tin_No As String, _Contact_Person As String, _Mobile_No As String, _Telephone_No As String,
_Remarks As String, _User As String)
Try
Dim strInsert As String = "UPDATE CLIENTS SET (ClientID = '" & Client_ID & "', ClientName = '" & _ClientName & "', Company_Add = '" & _Company_Add & "', Email_Add = '" & _Email_Add & "', Tin_No = '" & _Tin_No & "', Contact_Person = '" & _Contact_Person & "', Mobile_No = '" & _Mobile_No & "', Telephone_No = '" & _Telephone_No & "', Remarks = '" & _Remarks & "', User_ = '" & _User & "') WHERE (ClientID = '" & Client_ID & "') "
SQLCon.Open()
SqlCmd = New SqlCommand(strInsert, SQLCon)
SqlCmd.ExecuteNonQuery()
SQLCon.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Sub
Then here is my code on the button event:
Public Sub Update_Client()
SQL.UpdateClient(ClientIDLabel1.Text, txtCnamee.Text, txtCadd.Text, txtEadd.Text, txtTin.Text, txtCper.Text, txtMno.Text, txtTel.Text, txtRem.Text, User_Label1.Text)
End Sub
I'm pretty sure the error is in my sql string. What could it be? Please please help me :'(
P.s. I'm new to using VB.Net. Please bear with me :( Thank you.
Upvotes: 1
Views: 131
Answers (1)
Reputation: 726499
Here is the immediate problem with your code: the syntax of UPDATE is as follows:
UPDATE <table> SET <field1>=<value1>, <field2>=<value2> ...
Note that the list of variables that you set is not enclosed in parentheses. You need to remove ( and ) from your parenthesized list to fix the syntax problem in your SQL:
Dim strInsert As String = "UPDATE CLIENTS SET ClientID = '" & Client_ID & "', ClientName = '" & _ClientName & "', Company_Add = '" & _Company_Add & "', Email_Add = '" & _Email_Add & "', Tin_No = '" & _Tin_No & "', Contact_Person = '" & _Contact_Person & "', Mobile_No = '" & _Mobile_No & "', Telephone_No = '" & _Telephone_No & "', Remarks = '" & _Remarks & "', User_ = '" & _User & "' WHERE (ClientID = '" & Client_ID & "') "
However, there is a much bigger problem: your program can be broken by =SQL injection attacks, which is very dangerous. You need to rewrite your SQL to accept parameters, and use parameterized SQL to fix this vulnerability. See an answer to this question for a quick example of how to parameterize your query.
Upvotes: 3
Related Questions
- Incorrect syntax near ''
- Syntax of for-loop in SQL Server
- Incorrect syntax near ')' calling stored procedure with GETDATE
- Explain the encapsulated anonymous function syntax
- Incorrect syntax near 'GO'
- how to insert checked items from checkedlistbox to SQL database?
- Faster way to load data on datagridview?
- Problem in saving image to database from picturebox. VB.Net 2008. Framework 3.5