matt2605
Reputation: 216
SQL update to database not working
I am trying to update my database but it is not working.
I first tried this code:
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);
cmd.ExecuteNonQuery();
con.Close();
It doesn't throw an error but it doesn't update the database. When I tried the next code, only integers are updated and not strings.
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable " +
"SET ques1=" + ques1TextBox.Text +
" WHERE ID=" + IDTextBox.Text;
SqlCommand cmd = new SqlCommand(@command, con);
cmd.ExecuteNonQuery();
con.Close();
Can anyone explain what I am doing wrong? I prefer code to be secure against SQL injection is possible please.
Upvotes: 0
Views: 71
Answers (2)
Rahul Hendawe
Reputation: 912
In first case you are missing @ at where condition so, it should be like-
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID=@IDVAL";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.Parameters.AddWithValue("@ques1VAL", ques1TextBox.Text);
cmd.Parameters.AddWithValue("@IDVAL", IDTextBox.Text);
cmd.ExecuteNonQuery();
con.Close();
In your second case you pass the .text but not use proper string quotations. It should be like -
SqlConnection con = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=|DataDirectory|\\QuizDB.mdf;Integrated Security=True;User Instance=True;");
con.Open();
string command = "UPDATE QuizTable " +
"SET ques1='" + ques1TextBox.Text +
"' WHERE ID='" + IDTextBox.Text+"'";
SqlCommand cmd = new SqlCommand(@command, con);
cmd.ExecuteNonQuery();
con.Close();
Upvotes: 0
Ryan
Reputation: 3982
You're missing the "@" for the IDVAL paramer:
string command = "UPDATE QuizTable SET ques1= @ques1VAL WHERE ID = @IDVAL";
Upvotes: 2
Related Questions
- How can I prevent SQL injection in PHP?
- How to concatenate text from multiple rows into a single text string in SQL Server
- How to add a column with a default value to an existing table in SQL Server?
- How to import an SQL file using the command line in MySQL?
- Finding duplicate values in a SQL table
- How do I UPDATE from a SELECT in SQL Server?
- How do I perform an IF...THEN in an SQL SELECT?
- How can I do an UPDATE statement with JOIN in SQL Server?
- How can I delete using INNER JOIN with SQL Server?