Update query in SQL Server isn't working
Question
I have a class method for updating database.. but it isn't working and I can't find out what is wrong..
There is no error in the try catch block.. in database type of id is int and type of catagory is nvarchar(50) .
I also tried converting id from int to string but doesn't work and no error..
Database column name and variable name is same. Connection string is saved in web.config file which worked for inserting data.
public string update(int id, string catagory)
{
//creating database connection
SqlConnection objConnection = new SqlConnection(strConnection);
objConnection.Open();
string error = "";
try
{
//firing command
string strCommand = "UPDATE Data SET catagory = '" + catagory + "' WHERE (id = '" + id + "')";
SqlCommand objCommand = new SqlCommand(strCommand, objConnection);
objCommand.ExecuteNonQuery();
}
catch(System.Data.SqlClient.SqlException ex)
{
error = ex.ToString();
}
//closing database connection
objConnection.Close();
return error;
}
3 answers
solution1
3 2014-02-23 17:49:46
If id column is int , you don't need to use single quotes with it. Just use it like WHERE (id = " + id + ") . Single quotes is for character column types.
But don't use this way
You should always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks.
string strCommand = "UPDATE Data SET catagory = @catagory WHERE id = @id";
SqlCommand objCommand = new SqlCommand(strCommand, objConnection);
objCommand.Parameters.AddWithValue("@catagory", catagory);
objCommand.Parameters.AddWithValue("@id", id);
objCommand.ExecuteNonQuery();
Also DATA could be reserved keyword in future releases of SQL Server. You might need to use it in square brackets like [DATA] in the future.
Use using statement to dispose your SqlConnection and SqlCommand by the way.
solution2
1 2014-02-23 17:49:20
Problem : DATA could be Reserved word in future versions of SqlServer.
From MSDN :
Data could be reserved in future releases of SQL Server as new features are implemented.
Solution : enclose the Reserved words in square brackets as [data] Try This:
string strCommand = "UPDATE [Data] SET catagory = '" + catagory + "' WHERE (id = " + id + ")";
Suggestion 1: you don't need to enclose the Integer parameters within single quotes.
Suggestion 2 : your Update query is open to sqlinjection attacks please use Parameterised queries to avoid them.
Suggestion 3: you could use the return value of the ExecuteNonQuery() method to identify the Status of the UPDATE command.
Complete Code: using Parameterised Queries
try
{
//firing command
string strCommand = "UPDATE [Data] SET catagory = @catagory WHERE (id =@id)";
SqlCommand objCommand = new SqlCommand(strCommand, objConnection);
objCommand.Parameters.AddWithValue("@catagory",catagory);
objCommand.Parameters.AddWithValue("@id",id);
int status;
status = objCommand.ExecuteNonQuery();
if(status>0)
MessageBox.Show("Data Updated Successfully!");
else
MessageBox.Show("Update Failed!");
}
solution3
0 2014-10-17 01:51:39
Always use parameterized queries, for anti injection .
- The first parameter specifies the SQL statement.
- The second parameter is the SqlConnection.
- The third parameter is the SqlTransaction. here is a reference
And using statement automatically dispose and close your sql connection and sql command
public string update(int id, string catagory)
{
//creating database connection
using( SqlConnection objConnection = new SqlConnection(strConnection))
{
objConnection.Open();
string error = "";
try
{
string strCommand = "UPDATE Data SET catagory = @catagory WHERE id = @id ";
using( SqlCommand objCommand = new SqlCommand(strCommand, objConnection))
{
objCommand.Parameters.AddWithValue("@catagory",catagory);
objCommand.Parameters.AddWithValue("@id",id);
objCommand.ExecuteNonQuery();
}
}
catch(System.Data.SqlClient.SqlException ex)
{
error = ex.ToString();
}
return error;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.