Incorrect syntax near the keyword 'where'.

Question

1.00/5 (2 votes)

See more:

I am creating windows application using c# 2010, here i am using data grid view for billing purpose, but save the grid view values to data base below error is came

C#

Incorrect syntax near the keyword 'where'.

 SqlCommand cmd2 = new SqlCommand("update stkdetails set customer=customer+" + rows.Cells[7].Value + " where empname='" + rows.Cells[2].Value + "'and date='" + txtdate.Text + "'", con2);

any one give me some ideas how to solve above error

What I have tried:

JavaScript

Incorrect syntax near the keyword 'where'.

Posted 18-Nov-16 5:29am

Boopalslm

Updated 18-Nov-16 14:28pm

Add a Solution

Comments

[no name] 18-Nov-16 11:39am

Yes, use proper parameterized queries and your problem will likely go away all by itself.

Boopalslm 18-Nov-16 11:44am

rows.Cells[2].Value - this is proper parameterized cell value. but error is came

[no name] 18-Nov-16 11:46am

No it is not. You have been told this over and over.

Vamsi Krishnna 18-Nov-16 11:45am

enclose this section in single codes " + rows.Cells[7].Value + ". Problem should be solved

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Answer 1 · 2016-11-18T05:50:00

Solution 1

Please read bobby-tables.com: A guide to preventing SQL injection[^], before someone destroys your database.

Posted 18-Nov-16 5:50am

Richard MacCutchan

ZurdoDev · Answer 2 · 2016-11-18T05:51:00

Solution 2

This is a very, very simple error to fix on your own because the error tells you exactly what the problem is. I do not mean to sound rude, but it would be much faster for you to fix it than it takes to post this question and wait for a response.

Secondly, use a parameterized query. The way you have your code now, I could hack your db very easily. You have very unsafe code.

Something like:

C#

SqlCommand cmd2 = new SqlCommand("update stkdetails set customer= customer+ @customer where empname=@empName and..., con2);
cmd2.Parameters.AddWithValue("@customer", row.Cells[7].Value);
cmd2.Parameters.AddWithValue("@empName", rows.Cells[2].Value);
...
// you finish the rest.  Very, very simple.

Posted 18-Nov-16 5:51am

ZurdoDev

Updated 18-Nov-16 5:58am

v2

Comments

Boopalslm 18-Nov-16 11:55am

below error is came

The parameterized query '(@customer nvarchar(4000),@empName nvarchar(4000))update stkdeta' expects the parameter '@customer', which was not supplied.

ZurdoDev 18-Nov-16 11:59am

The error, again, is pretty clear. It says you did not provide a value for @customer when you called the sql.

Boopalslm 18-Nov-16 12:08pm

how to solve the error

Boopalslm 18-Nov-16 12:16pm

The parameterized query '(@empname varchar(8000),@customer float)update stkdetails set cu' expects the parameter '@empname', which was not supplied.

now above error is came, what can i do give me ideas.

ZurdoDev 18-Nov-16 13:24pm

You need to do what the error is telling you.

Richard MacCutchan 18-Nov-16 11:56am

date='" + txtdate.Text + "'" WTF?

ZurdoDev 18-Nov-16 11:58am

I made the comment for OP to finish the rest. I hoped they would pick up on it. I think I will edit it to make it more clear though. Thanks.

Richard MacCutchan 18-Nov-16 13:20pm

I hoped they would pick up on it
Ah yes, hope ...

Patrice T · Answer 3 · 2016-11-18T14:28:00

The problem with the way you build the query is that the error or not depend on variables contain.
The variables are promoted to SQL code and a malicious value opens the door to SQL Injection. The use of parameters may br the solution to both problems.
SQL injection - Wikipedia[^]
SQL Injection[^]