Click here to Skip to main content
15,904,494 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
EROR IN UPATE in think in com.ExecuteNonQuery(); flagR = false;

C#
public bool UpDebitor(string Name, string PostNumber, string PhoneNumber,Guid ID)
{
    bool flagR = true;
    string query = string.Format("UPDATE Debitors SET  Name = '{0}' , PostNumber = '{1}', PhoneNumber '{2}' WHERE ID = '{3}'",
        Name, PostNumber, (PhoneNumber != String.Empty) ? PhoneNumber : null,ID);

    using (SqlConnection con = new SqlConnection(constring))
    {
        SqlCommand com = new SqlCommand(query, con);
        try
        {
            con.Open();
            com.ExecuteNonQuery();
            flagR = false;

        }
        catch
        {

        }
        return flagR;
    }
}
Posted
Comments
Richard C Bishop 13-Dec-12 16:42pm    
What does the error message say?

1) You should really be using Paramaterized Queries.
2) PhoneNumber '{2}' should be PhoneNumber = '{2}'
 
Share this answer
 
v2
Comments
Jibesh 13-Dec-12 16:54pm    
Good Catch Marcus!!!
the dark Knight 13-Dec-12 17:04pm    
thank you working now
[no name] 14-Dec-12 0:11am    
Great Marcus....
The major flaw of this code is that it is using string data to compose a query; and you should never ever do it because this is too dangerous from the security standpoint.

The data can come from anywhere, including user input. In this case, it can be anything, including… a fragment of SQL code. This simple idea explain a well-known exploit called SQL Injection:
http://en.wikipedia.org/wiki/SQL_injection[^].

This article also explain the importance of parameterized statements. You need to use them in your code. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[^].

—SA
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900