Please correct the code:

```cmdupdate.CommandText = "Insert Into RawMat " +
" (ProductDimension) " +
" VALUES ('" + txtwidth.Text + "', '" + txtheight.Text + "', '" + txtunitofmeasurement.Text + "')";
cmdupdate.ExecuteNonQuery();
```

Output:

Given:
height = 5
width = 7
unit = feet

Answer:
dimension = 5 x 7 feet
Posted 2-Jul-12 21:12pm
wolfsor564

## 2 solutions

## Solution 1

```cmdupdate.CommandText = "Insert Into RawMat " +
" (ProductDimension) " +
" VALUES ('" + txtwidth.Text + " X " + txtheight.Text + " " + txtunitofmeasurement.Text + "')";
cmdupdate.ExecuteNonQuery();```
## Solution 2

1) you can concatenate in tsql with + sing

2) why don't you concatenate in C#?
3) use parameters for statement building (avoid exposing your app to SQLinjection)

```cmdupdate.CommandText = "Insert Into RawMat (ProductDimension) VALUES (@dim)";
cmdupdate.Parameters.AddWithValue("@dim", string.Format("{0} x {1} {2}", txtwidth.Text, txtheight.Text, txtunitofmeasurement.Text));```
Comments
wolfsor 3-Jul-12 3:48am

how do you add WHERE ProductNo=@Pno
Zoltán Zörgő 3-Jul-12 4:05am

WHERE clause in this insert statement? I don't understand. In a select you can do it just like here. If data type of the parameter is not detectable, you can use Add method and then set the value. Consult MSDN.
Zoltán Zörgő 4-Jul-12 17:14pm

any progress?

