sql Statement Date object

G

Guest

Hi,

I have an ASP.net application with a connection to a sql database. I am
writing a SQL statement to update some fields in a table but it won't run
because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text & "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] = '" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected

Regards
Brian
 
B

Brock Allen

You shouldn't be concatenating your sql strings -- your code will be vulnreable
to a sql injection attack which is a very serious security hole. Instead
use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id = @ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a DateTime
as the 2nd parameter to Add().
 
G

Guest

so what your saying is that for every table column I need to update I should
do them individually.

Brock Allen said:
You shouldn't be concatenating your sql strings -- your code will be vulnreable
to a sql injection attack which is a very serious security hole. Instead
use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id = @ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a DateTime
as the 2nd parameter to Add().




Hi,

I have an ASP.net application with a connection to a sql database. I
am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian
Click to expand...
Click to expand...
 
M

Marina

No, he is saying you should use a parameterized query.

bbdobuddy said:
so what your saying is that for every table column I need to update I
should
do them individually.

Brock Allen said:
You shouldn't be concatenating your sql strings -- your code will be
vulnreable
to a sql injection attack which is a very serious security hole. Instead
use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id =
@ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a
DateTime
as the 2nd parameter to Add().




Hi,

I have an ASP.net application with a connection to a sql database. I
am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian
Click to expand...
Click to expand...
Click to expand...
 
B

Brock Allen

I guess I lfet out the call to cmd.ExecuteNonQuery() at the end. A parameterized
SQL statement can update many columns. Calling Add is simply preparing the
parameters that will be sent. The SQL isn't sent until you make the call
to ExecuteNonQuery().




so what your saying is that for every table column I need to update I
should do them individually.

Brock Allen said:
You shouldn't be concatenating your sql strings -- your code will be
vulnreable to a sql injection attack which is a very serious security
hole. Instead use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id =
@ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");
and so on....

For your datetime column, you might have better luck by passing a
DateTime as the 2nd parameter to Add().

Hi,

I have an ASP.net application with a connection to a sql database.
I am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" &
txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Connected SQLite to my java program but information are not submitted 2
Registration Form 7
Can't execute php to delete multiple rows in database 3
Only one table shows up with the information 2
Doubt making sql statement 5
PHP/MySQL UPDATE not working for second table 1
INSERT Statement with Empty Date 1
Looking for someone to take alook at this code and help 2

Members online

No members online now.
Total: 32 (members: 0, guests: 32)
Robots: 372

Forum statistics

Threads
473,770
Messages
2,569,583
Members
45,072
Latest member
trafficcone

Latest Threads

Top