查询表达式中的语法错误

Question

string q = "UPDATE tableAbsensi SET Absen_keluar =('"+(DateTime.Now.ToString("hh:mm"))+"') WHERE ID ='"+ idkaryawantxt.Text.ToString() + "' AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy"));

I think I have error in my syntax, can you guys help me? Thanks

here's the picture of error : http://sadpanda.us/images/1889033-X8SIZZN.jpg

Answer 1

It looks like you're missing a quote. This:

AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy"));

should probably be

AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy") + "');

But you really should use parameters instead to prevent errors like these and also SQL injection .

Answer 2

Please don't do that!

You should never use string concatenations in your sql queries. Always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks.

With this concatenations, you might forget to use some comma, quotes, brackets etc..

Also use the using statement to dispose your Connection and Command . For example;

using(OleDbConnection con = new OleDbConnection(ConnectionString))
using(OleDbCommand cmd = com.CreateCommand())
{
   string s = "UPDATE tableAbsensi SET Absen_keluar=? WHERE ID=? AND Tanggal=?";
   cmd.CommandText = s;
   cmd.Parameters.AddWithValue("@absen", DateTime.Now.ToString("hh:mm"));
   cmd.Parameters.AddWithValue("@id", idkaryawantxt.Text.ToString());   
   cmd.Parameters.AddWithValue("@tanggal",  DateTime.Now.ToString("MM-dd-yyyy")); 
   cmd.ExecuteNonQuery();  
}

Answer 3

Don't use string concatenation to insert values into SQL code. Always use parameters and issues like this caused by formatting just go away. To learn why and how to use parameters, check this out .