Click here to Skip to main content
15,565,403 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I am getting error while updating data in SQL in vb.net. I am using VS2013.
Since query is long so I have separated using "&_" .
-----------------------------------------------------------------------------
Code:
-----------------------------------------------------------------------------
SQL
con.Open()
      ss = "UPDATE emp_master set empid=" & txtempid.Text & ",empname='" & txtename.Text & "',pfno='" & txtpfno.Text & "',dob=" & dtpdob.Value & ",gender='" & g & "'," & _
         "contact=" & txtcontact.Text & ",email='" & txtemail.Text & "',doj=" & dtpdoj.Value & ",address='" & txtaddress.Text & "',edu='" & txtedu.Text & "'," & _
         "nationality='" & txtNation.Text & "',bloodgroup=" & cmb_Bloodgrp.SelectedText & ", desig='" & txtdesig.Text & "',exp=" & txtexp.Text & ",salary=" & txtsalary.Text & "," & _
         "dept='" & txtdept.Text & "',pic=" & arrImg.ToString() & ",usertype=" & Cmb_utype.SelectedText & " WHERE empid=" & txtempid.Text & " "
      com = New SqlCommand(ss, con)
      com.ExecuteNonQuery()
      MsgBox("Data Updated Successfully !", MsgBoxStyle.Information, MsgBoxStyle.OkCancel)
con.Close()



----------------------------------------------------------------------------
Error:
---------------------------------------------------------------------------
SQL
Additional information: Incorrect syntax near ','.

An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
Posted
Comments
Tomas Takac 15-Feb-15 5:07am    
This is a mess. Plus your code is vulnerable to SQL injection. Use parameters in your queries! To debug this just have a look on the content of ss it should be obvious what's wrong there. If not, update your question with the text.

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

The chances are that that would cure your problem at the same time as protecting your DB.
VB
ss = "UPDATE emp_master SET empid=@EID, empName=@ENM, ..."
com = new SqlCommand(ss, con)
com.Parameters.AddWithValue("@EID", txtempid.Text)
com.Parameters.AddWithValue("@ENM", txtename.Text)
...
com.ExecuteNonQuery()
 
Share this answer
 
Comments
A94 15-Feb-15 8:34am    
Thanks It Worked...!!!!
OriginalGriff 15-Feb-15 10:08am    
You're welcome!
EXP is a keyword - https://msdn.microsoft.com/en-us/library/ms179857.aspx[^].
Wrap the exp column name in a [] bracket e.g. [exp].

In general, you should use command parameters in a query.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900