sql Statement Date object

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I have an ASP.net application with a connection to a sql database. I am
writing a SQL statement to update some fields in a table but it won't run
because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text & "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] = '" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected

Regards
Brian
 
You shouldn't be concatenating your sql strings -- your code will be vulnreable
to a sql injection attack which is a very serious security hole. Instead
use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id = @ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a DateTime
as the 2nd parameter to Add().

-Brock
DevelopMentor
http://staff.develop.com/ballen
 
so what your saying is that for every table column I need to update I should
do them individually.

Brock Allen said:
You shouldn't be concatenating your sql strings -- your code will be vulnreable
to a sql injection attack which is a very serious security hole. Instead
use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id = @ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a DateTime
as the 2nd parameter to Add().

-Brock
DevelopMentor
http://staff.develop.com/ballen


Hi,

I have an ASP.net application with a connection to a sql database. I
am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian
Click to expand...
Click to expand...
 
No, he is saying you should use a parameterized query.

bbdobuddy said:
so what your saying is that for every table column I need to update I
should
do them individually.

Brock Allen said:
You shouldn't be concatenating your sql strings -- your code will be
vulnreable
to a sql injection attack which is a very serious security hole. Instead
use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id =
@ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a
DateTime
as the 2nd parameter to Add().

-Brock
DevelopMentor
http://staff.develop.com/ballen


Hi,

I have an ASP.net application with a connection to a sql database. I
am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian
Click to expand...
Click to expand...
Click to expand...
 
I guess I lfet out the call to cmd.ExecuteNonQuery() at the end. A parameterized
SQL statement can update many columns. Calling Add is simply preparing the
parameters that will be sent. The SQL isn't sent until you make the call
to ExecuteNonQuery().

-Brock
DevelopMentor
http://staff.develop.com/ballen


so what your saying is that for every table column I need to update I
should do them individually.

Brock Allen said:
You shouldn't be concatenating your sql strings -- your code will be
vulnreable to a sql injection attack which is a very serious security
hole. Instead use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id =
@ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");
and so on....

For your datetime column, you might have better luck by passing a
DateTime as the 2nd parameter to Add().

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi,

I have an ASP.net application with a connection to a sql database.
I am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" &
txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian
Click to expand...
Click to expand...
Click to expand...
 
Back
Top