I have a class method for updating database.. but it isn't working and I can't find out what is wrong..
There is no error in the try catch
block.. in database type of id
is int
and type of catagory
is nvarchar(50)
.
I also tried converting id
from int
to string
but doesn't work and no error..
Database column name and variable name is same. Connection string is saved in web.config
file which worked for inserting data.
public string update(int id, string catagory)
{
//creating database connection
SqlConnection objConnection = new SqlConnection(strConnection);
objConnection.Open();
string error = "";
try
{
//firing command
string strCommand = "UPDATE Data SET catagory = '" + catagory + "' WHERE (id = '" + id + "')";
SqlCommand objCommand = new SqlCommand(strCommand, objConnection);
objCommand.ExecuteNonQuery();
}
catch(System.Data.SqlClient.SqlException ex)
{
error = ex.ToString();
}
//closing database connection
objConnection.Close();
return error;
}
If id
column is int
, you don't need to use single quotes with it. Just use it like WHERE (id = " + id + ")
. Single quotes is for character column types.
You should always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks.
string strCommand = "UPDATE Data SET catagory = @catagory WHERE id = @id";
SqlCommand objCommand = new SqlCommand(strCommand, objConnection);
objCommand.Parameters.AddWithValue("@catagory", catagory);
objCommand.Parameters.AddWithValue("@id", id);
objCommand.ExecuteNonQuery();
Also DATA
could be reserved keyword in future releases of SQL Server. You might need to use it in square brackets like [DATA]
in the future.
Use using
statement to dispose your SqlConnection
and SqlCommand
by the way.
Problem : DATA
could be Reserved word in future versions of SqlServer.
From MSDN :
Data could be reserved in future releases of SQL Server as new features are implemented.
Solution : enclose the Reserved words in square brackets as [data]
Try This:
string strCommand = "UPDATE [Data] SET catagory = '" + catagory + "' WHERE (id = " + id + ")";
Suggestion 1: you don't need to enclose the Integer parameters within single quotes.
Suggestion 2 : your Update query is open to sqlinjection attacks please use Parameterised queries to avoid them.
Suggestion 3: you could use the return
value of the ExecuteNonQuery()
method to identify the Status of the UPDATE
command.
Complete Code: using Parameterised Queries
try
{
//firing command
string strCommand = "UPDATE [Data] SET catagory = @catagory WHERE (id =@id)";
SqlCommand objCommand = new SqlCommand(strCommand, objConnection);
objCommand.Parameters.AddWithValue("@catagory",catagory);
objCommand.Parameters.AddWithValue("@id",id);
int status;
status = objCommand.ExecuteNonQuery();
if(status>0)
MessageBox.Show("Data Updated Successfully!");
else
MessageBox.Show("Update Failed!");
}
Always use parameterized queries, for anti injection .
And using statement
automatically dispose and close your sql connection
and sql command
public string update(int id, string catagory)
{
//creating database connection
using( SqlConnection objConnection = new SqlConnection(strConnection))
{
objConnection.Open();
string error = "";
try
{
string strCommand = "UPDATE Data SET catagory = @catagory WHERE id = @id ";
using( SqlCommand objCommand = new SqlCommand(strCommand, objConnection))
{
objCommand.Parameters.AddWithValue("@catagory",catagory);
objCommand.Parameters.AddWithValue("@id",id);
objCommand.ExecuteNonQuery();
}
}
catch(System.Data.SqlClient.SqlException ex)
{
error = ex.ToString();
}
return error;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.