Click here to Skip to main content
14,644,142 members
Rate this:
Please Sign up or sign in to vote.
EROR IN UPATE in think in com.ExecuteNonQuery(); flagR = false;

public bool UpDebitor(string Name, string PostNumber, string PhoneNumber,Guid ID)
{
    bool flagR = true;
    string query = string.Format("UPDATE Debitors SET  Name = '{0}' , PostNumber = '{1}', PhoneNumber '{2}' WHERE ID = '{3}'",
        Name, PostNumber, (PhoneNumber != String.Empty) ? PhoneNumber : null,ID);

    using (SqlConnection con = new SqlConnection(constring))
    {
        SqlCommand com = new SqlCommand(query, con);
        try
        {
            con.Open();
            com.ExecuteNonQuery();
            flagR = false;

        }
        catch
        {

        }
        return flagR;
    }
}
Posted
Comments
Richard C Bishop 13-Dec-12 16:42pm
   
What does the error message say?
Rate this:
Please Sign up or sign in to vote.

Solution 2

1) You should really be using Paramaterized Queries.
2) PhoneNumber '{2}' should be PhoneNumber = '{2}'
   
v2
Comments
Jibesh 13-Dec-12 16:54pm
   
Good Catch Marcus!!!
the dark Knight 13-Dec-12 17:04pm
   
thank you working now
[no name] 14-Dec-12 0:11am
   
Great Marcus....
Rate this:
Please Sign up or sign in to vote.

Solution 1

The major flaw of this code is that it is using string data to compose a query; and you should never ever do it because this is too dangerous from the security standpoint.

The data can come from anywhere, including user input. In this case, it can be anything, including… a fragment of SQL code. This simple idea explain a well-known exploit called SQL Injection:
http://en.wikipedia.org/wiki/SQL_injection[^].

This article also explain the importance of parameterized statements. You need to use them in your code. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[^].

—SA
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100