The format of an UPDATE command is not the same as an INSERT:
UPDATE <table_name> SET <field>=<new value>,<field... WHERE ...
Having said that, do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
[edit]Forgot to encode HTML, grr. - OriginalGriff[/edit]
"sir pls show an example for parameterized queries"
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand com = new SqlCommand("UPDATE myTable SET myColumn1=@C1, myColumn2=@C2 WHERE Id=@ID", con))
{
com.Parameters.AddWithValue("@ID", id);
com.Parameters.AddWithValue("@C1", myValueForColumn1);
com.Parameters.AddWithValue("@C2", myValueForColumn2);
com.ExecuteNonQuery();
}
}
Submit an article or tip