Syntax error in query expression
Question
string q = "UPDATE tableAbsensi SET Absen_keluar =('"+(DateTime.Now.ToString("hh:mm"))+"') WHERE ID ='"+ idkaryawantxt.Text.ToString() + "' AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy"));
I think I have error in my syntax, can you guys help me? Thanks
here's the picture of error : http://sadpanda.us/images/1889033-X8SIZZN.jpg
3 answers
solution1
1 ACCPTED 2014-02-21 07:44:49
It looks like you're missing a quote. This:
AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy"));
should probably be
AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy") + "');
But you really should use parameters instead to prevent errors like these and also SQL injection .
solution2
1 2014-02-21 08:03:31
Please don't do that!
You should never use string concatenations in your sql queries. Always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks.
With this concatenations, you might forget to use some comma, quotes, brackets etc..
Also use the using statement to dispose your Connection and Command . For example;
using(OleDbConnection con = new OleDbConnection(ConnectionString))
using(OleDbCommand cmd = com.CreateCommand())
{
string s = "UPDATE tableAbsensi SET Absen_keluar=? WHERE ID=? AND Tanggal=?";
cmd.CommandText = s;
cmd.Parameters.AddWithValue("@absen", DateTime.Now.ToString("hh:mm"));
cmd.Parameters.AddWithValue("@id", idkaryawantxt.Text.ToString());
cmd.Parameters.AddWithValue("@tanggal", DateTime.Now.ToString("MM-dd-yyyy"));
cmd.ExecuteNonQuery();
}
solution3
0 2014-02-21 07:41:38
Don't use string concatenation to insert values into SQL code. Always use parameters and issues like this caused by formatting just go away. To learn why and how to use parameters, check this out .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.