question

132 avatar image
132 asked

find the syntex error?

private void button1_Click(object sender, EventArgs e) { if (comboBox3.Text == "") { MessageBox.Show("Select Item!"); } else if (Quantity.Text=="") { MessageBox.Show("Enter Quantity"); } else if (Price.Text == "") { MessageBox.Show("Enter Price"); } string tmpqua=comboBox3.SelectedItem.ToString()+"_Q"; string tmppri=comboBox3.SelectedItem.ToString()+"_P"; //MessageBox.Show(tmpqua); //MessageBox.Show(tmppri); SqlConnection con=new SqlConnection("Data Source =ali-aslam\\sqlexpress; Initial Catalog = bfinal; Integrated Security = True"); SqlCommand cmd = new SqlCommand("update customer_orderf set '"+tmpqua+"'='"+int.Parse(Quantity.Text)+"' , '"+tmppri+"'='"+int.Parse(Price.Text)+"' where order_number='"+order+"'", con); //cmd.Parameters.AddWithValue("@quantity",int.Parse(Quantity.Text)); //cmd.Parameters.AddWithValue("@price", int.Parse(Price.Text)); con.Open(); cmd.ExecuteNonQuery(); con.Close(); Price.Text = ""; Quantity.Text = ""; } what is the syntax error
errorsyntax
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

· Write an Answer
David Wimbush avatar image
David Wimbush answered
I'm guessing the syntax error is in your SQL statement. The single quotes around tmpqua look wrong. You shouldn't be quoting the column name. Also, this is wide open to a SQL Injection attack. You really should parameterise this.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.