Incorrect syntax near '8' error when using update query

Question

 static public void updateSelectedCaravan(string make, string model, string birth, string year, string Int, string ext, string width, string Unladen, string mtplm, string warranty, string freeText, string price, string location, string Tel, string Email, int makeID, string description)
{
    SqlConnection conn = new SqlConnection(ConnectionString);
    conn.Open();
    SqlCommand updateNews = new SqlCommand("Update [productDetail] SET [make] =@make , [model] = @model , [Berth] = @birth , [Year] =  @year , [InternalLength] = @Int , [ExternalLength] = @ext, [Width] = @width , [UnladenWeight] = @Unladen , [MTPLM] = @mtplm , [Warranty] = @warranty , [FreeTextDetails] = @freeText , [Price] = @price , [Location] = @location , [Tel] = @Tel , [Email] = @Email , [description] = @description where [makeID] = @makeID", conn);
    updateNews.Parameters.AddWithValue("@make", make);
    updateNews.Parameters.AddWithValue("@model", model);
    updateNews.Parameters.AddWithValue("@birth", birth );
    updateNews.Parameters.AddWithValue("@year", year);
    updateNews.Parameters.AddWithValue("@Int", Int);
    updateNews.Parameters.AddWithValue("@ext", ext);
    updateNews.Parameters.AddWithValue("@width", width);
    updateNews.Parameters.AddWithValue("@Unladen", Unladen);
    updateNews.Parameters.AddWithValue("@mtplm", mtplm);
    updateNews.Parameters.AddWithValue("@warranty",warranty);
    updateNews.Parameters.AddWithValue("@freeText", freeText);
    updateNews.Parameters.AddWithValue("@price", price);
    updateNews.Parameters.AddWithValue("@location", location);
    updateNews.Parameters.AddWithValue("@Tel", Tel);
    updateNews.Parameters.AddWithValue("@Email",Email );
    updateNews.Parameters.AddWithValue("@description",description );
    updateNews.Parameters.AddWithValue("@makeID", makeID);
    updateNews.ExecuteNonQuery();
    conn.Close();
}

The above query doesnt works works it gives an error Incorrect syntax near '8', It was working fine before but I dont know for what reason it has stopped working , i have debugged d query and its passing all the required values.

Answer 1

One of your data items contains a single quote, probably next to a number 8. This is breaking your SQL, and is an example of accidental SQL Injection , which you should guard against.

You should use parameterised queries. That way the single quote will be automatically escaped for you, and this issue will disappear.

Answer 2

Stop creating your own SQL queries. It's vulnerable to SQL Injection attacks. Use parameterized expressions instead, and you won't have to deal with these parameter errors anymore.

 SqlCommand cmd = new SqlCommand("UPDATE productDetail SET make = @make WHERE id = @id");
 cmd.Parameters.AddWithValue("@make", "someValue");
 cmd.Parameters.AddWithValue("@id", 1234);

 // execute

Answer 3

Firstly you should paramatise your querys because you have a huge security issue here if someone malicious was going to use your system in regards to SQL injections.

Secondly, what types are the fields? If they are int, as a lot of them should be, you don't need to do:

SET year = '2011'

You would do:

SET year = 2011

This wont throw errors afaik, but it's recommended.

The best way to debug the query is print the query before it executes, to see what the actual built query is. As someone else mentioned it's probably a single quote causing issues.

If you paramatise your query it will work, and it will be more secure.

Answer 4

In addition to above answers, I would like to suggest you to please try to send the class object in your function.

This means you should have a Object Model Project. This contains a class for all the parameters you passed in your function.

Add the reference of this project to your datalayer/presentation and from the presentation send the object of this class populated with data member values to access the member data. In this way, in case tomorrow you have to increase/decrease the parameters, then you do not need to change the function signature.