Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. That will also solve your problem...
string cmd1 = "INSERT INTO student_note ([note]) VALUES(@NOTE) WHERE student_id=@SID AND course_id=@CID";
SqlCommand cmd1x = new SqlCommand(cmd1, con);
cmd1x.Parameters.AddWithValue("@SID", Session["student_id"]);
cmd1x.Parameters.AddWithValue("@CID", Session["course_id"]);
cmd1x.Parameters.AddWithValue("@NOTE", TextBox1.Text);
cmd1x.ExecuteNonQuery();
[edit]
I must be part asleep!
You don't use a WHERE clause on an INSERT statement - it adds a new row, not filters existing ones. You could use a WHERE with an UPDATE, but if you want to add a new row then change your SQL above to:
INSERT INTO student_note ([note], student_id, course_id) VALUES(@NOTE, @SID, @CID)";
- OriginalGriff
[/edit]
[edit2]Forgot a comma :doh: - OriginalGriff[/edit2]