can any one change the following code

Question

1.00/5 (2 votes)

See more:

C#

string cmd = string.Format("Update mobilesubscriberdata1 set " + fieldname + "='" + val + "' where m_date='{0}''{1}'", dateTimePicker1.Value.ToString("yyyy-MM-dd")   + " and id=" + Id + "");

obj.GetDataTable(cmd);

can any one tell me what is the error in above command...........
pls

Posted 14-Jul-14 21:56pm

Member 10891595

Updated 14-Jul-14 22:11pm

DamithSL

v2

Add a Solution

Comments

Sergey Alexandrovich Kryukov 15-Jul-14 4:12am

This is not a valid or sensible question. What is the question? "Can anyone change..?" or "Can anyone tell..?". Is that what you wanted to know? :-) Yes, anyone can change (but why?), and no, no one can tell you unless you tell us what did you try to achieve...
—SA

5 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2014-07-14T22:17:00

The major problem of your code is the whole idea of composing the query by concatenating some strings to some strings taken from UI. Bad idea. First, repeated string concatenation is really bad, because strings are immutable (do I have to explain this?); you should rather use string.Format.

But, much worse, this code opens wide doors to a well-known exploit called SQL Injection. Here is how:
http://xkcd.com/327[^].

For further explanation, please see my past answers and referenced pages:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

This is what you should use: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

—SA

Richard MacCutchan · Answer 2 · 2014-07-14T22:17:00

Solution 2

The error is that you are using string concatenation to create SQL commands, which can lead to corruption or even total destruction of your database. Use proper parameterised queries as described in the documentation and protect yourself from hackers.

Posted 14-Jul-14 22:17pm

Richard MacCutchan

ashok rathod · Answer 3 · 2014-07-14T22:19:00

Solution 4

C#

string cmd = string.Format("Update mobilesubscriberdata1 set " + fieldname + "='" + val + "' where m_date='{0}'" and id=" + Id + "",dateTimePicker1.Value.ToString("yyyy-MM-dd"));

for cleaner purpose

C#

string cmd = string.Format("Update mobilesubscriberdata1 set {0}='{1}' where m_date='{2}' and id={3}",fieldname,val,dateTimePicker1.Value.ToString("yyyy-MM-dd"),Id);

Posted 14-Jul-14 22:19pm

ashok rathod

Updated 14-Jul-14 22:21pm

v3

Comments

Member 10891595 15-Jul-14 4:37am

thnks sir

ashok rathod 15-Jul-14 6:25am

please mark it as answer or rate it.

Maciej Los · Answer 4 · 2014-07-14T22:24:00

Solution 5

Try:

C#

string cmd = string.Format("Update mobilesubscriberdata1 set {0}='{1}' where m_date='{2}' and id={3}", fieldname.ToString(), val.ToString(), dateTimePicker1.Value.ToString("yyyy-MM-dd"), Id.ToString());

Posted 14-Jul-14 22:24pm

Maciej Los

George Jonsson · Answer 5 · 2014-07-14T22:26:00

I guess you get a runtime error .
Am I right?

First of all, this is a terrible mix of string concatenations.
Very difficult to read, hence difficult to trouble shoot.

C#

string cmd = string.Format("Update mobilesubscriberdata1 set " + fieldname + "='" + val + "' where m_date='{0}''{1}'", dateTimePicker1.Value.ToString("yyyy-MM-dd")   + " and id=" + Id + "");
 
obj.GetDataTable(cmd);

Change the code to this

C#

string cmd = string.Format(@"
UPDATE mobilesubscriberdata1 SET fieldname = '{0}' 
WHERE m_date = '{1}''{2}' AND id = '{3}'", 
val, dateTimePicker1.Value.ToString("yyyy-MM-dd"), id);
 
obj.GetDataTable(cmd);

(Not sure if fieldname is a variable or column name. I assumed a column name)
If you take a look now you might see something suspicious.
Hint: Count the arguments. (Why two for the date but only 1 argument?)