System.Data.SqlClient.SqlException: Incorrect syntax near ''

Question

cmd.Connection = con;
con.Open();
cmd.CommandText = "Update tiit.Enquiry Set Status='" + DropDownList4.SelectedValue + "', NextFollowup='" + TextBox8.Text + "', Remarks='" + TextBox9.Text + "', Name='" + TextBox1.Text + "', Email='" + TextBox2.Text + "', Phone='" + TextBox3.Text + "','','','','', City='" + TextBox4.Text + "', Country='" + TextBox5.Text + "', Course='" + TextBox6.Text + "', Comments='" + TextBox7.Text + "', Cost='" +TextBox14.Text+ "' where SN='" + HiddenField1.Value + "'";
int i = cmd.ExecuteNonQuery();
con.Close();

Answer 1

In all probability this:

"Update tiit.Enquiry Set Status='"

is you problem. (I'm talking about the .)

I completely agree however - use parametrised queries.

Answer 2

No, don't do this. Never use string concatenations (+ operator) when building your SQL queries. Use parametrized queries:

cmd.Connection = con; 
con.Open(); 
cmd.CommandText = "UPDATE tiit.Enquiry Set Status=@Status, NextFollowup=@NextFollowup, ...";
cmd.Parameters.AddWithValue("@Status", DropDownList4.SelectedValue);
cmd.Parameters.AddWithValue("@NextFollowup", TextBox8.Text);
...

This way your code won't be vulnerable to SQL injection and you won't have any encoding problems.