Help C# SQL error near '='

Question

1.00/5 (1 vote)

See more:

textBox11.Text = DateTime.Now.ToShortDateString();

            if (textBox1.Text != "")
            {

                textBox5.Text = label7.Text;

                con.Open();
                string query = "UPDATE Emp2 SET DateOut ='" + textBox11.Text + "' & TimeOut ='" + textBox5.Text + "' WHERE No = '" + textBox1.Text + "'";
                SqlDataAdapter SDA = new SqlDataAdapter(query, con);
                SDA.SelectCommand.ExecuteNonQuery();
                con.Close();
                MessageBox.Show("UPDATE SUCCESS!");
                formload();
            }

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

Additional information: Incorrect syntax near '='.

What I have tried:

tried everything nothing works for me i need help thanks

Posted 3-Apr-19 18:05pm

Member 14165181

Updated 4-Apr-19 1:19am

Add a Solution

Comments

Richard Deeming 4-Apr-19 9:41am

Once you've gone through your code and fixed the SQL Injection security vulnerabilities, do yourself a favour and change the control names to something meaningful. Sure, you might remember what textBox42 contains now; but when you come back to your code in a few weeks, you won't remember.

There's also no need to use a textbox to store DateTime.Now - just pass DateTime.Now to the relevant query parameter.

And check the data type of DateOut to make sure you're not storing dates as strings.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

David_Wimbley · Answer 1 · 2019-04-03T19:38:00

Two things

1) Your SQL is vulnerable to SQL injection. Simple google search will provide you plenty of information on this. Given your error, it is possible you've encountered a sql injection depending on what kind of data you are attempting to insert...ex if i set textBox1.Text = "'This'Is'AwfulInput", that could trigger this error potentially as well.

2)

string query = "UPDATE Emp2 SET DateOut ='" + textBox11.Text + "' & TimeOut ='" + textBox5.Text + "' WHERE No = '" + textBox1.Text + "'";

Take a look at your SQL statement, you've got an ampersand where a comma should be. Given I don't have access to your code or DB, this is the likely fix.

"UPDATE Emp2 SET DateOut ='" + textBox11.Text + "', TimeOut ='" + textBox5.Text + "' WHERE No = '" + textBox1.Text + "'"

A basic update statement should look like this, UPDATE TableName SET Column1 = '', Column2 = '' WHERE Id = 2. You indicate you tried "everything" so i would recommend you follow some sql tutorials in your journey to learning sql as UPDATE statements are fairly straight forward (this wasn't meant as snarky or rude, truly meant to be a helpful recommendation).

MadMyche · Answer 2 · 2019-04-04T01:20:00

A few problems with the code; a vulnerability, your actual problem, an inefficiency, and some notes/suggestions for you.

1. Concatenated strings should never be used, this is a SQL Injection vulnerability; it's been known for over 20 years now and is unacceptable. Use SqlParamaters to add the values to the command object.

2. Items in the SET list should be separated with a comma(,)- not an ampsersand (&).

3. The SqlDataAdapter is designed for working with data retrieval, and has an overhead to it which is not needed for this application. All you need to run this is a SqlCommand object.

4. ExecuteNonQuery returns an Int32 to let you know how many rows were affected. You can use this to verify the query was run as expected. I threw it into your message box.

5. You should be using try/catch blocks which I added in. Ideally this should all be wrapped in a using block to properly dispose of the resources.

enuff of that... here is the code rewrite that I did

C#

using (SqlConnection con = new SqlConnection(connectionsting)) {
  try {
    string query = "UPDATE Emp2 SET DateOut = @Dateout, TimeOut = @Timeout WHERE No = @No";
    SqlCommand cmd = new SqlCommand(query, con);
    cmd.Parameters.AddWithValue("@Dateout", textBox11.Text);
    cmd.Parameters.AddWithValue("@Timeout", textBox5.Text);
    cmd.Parameters.AddWithValue("@No", textBox1.Text);

    con.Open();
    int RowsAffected = cmd.ExecuteNonQuery();
    con.Close();

    MessageBox.Show(string.Format("UPDATE SUCCESS! {0} rows were updated". RowsAffected));
  }
  catch (Exception ex) { 
    // your error handling code
  }
}

**Nirav Prabtani** · Answer 3 · 2019-04-03T21:02:00

You don't need to use & operator in update query, Just replace it with ,

Update your SQL query as below.

string query = "UPDATE Emp2 SET DateOut ='" + textBox11.Text + "', TimeOut ='" + textBox5.Text + "' WHERE No = '" + textBox1.Text + "'";

for best practices, Don't use inline queries, It leads to SQL injection which is a major security hole for your application.

Help C# SQL error near '='

3 solutions

Solution 1

Solution 3

Solution 2

Add your solution here

Preview 0