sql - Solution to this error -
i have written query:
string sql = "update db " + "set lname = '"+txtlname.gettext()+"'," + "atc_code = '"+txtatccode.gettext()+"'," + "atc_name= '"+txtatcname.gettext()+"'," + "course_name = '"+txtcoursename.gettext()+"'," + "course_fee = '"+txtcoursefee.gettext()+"'," + "where fname = '"+txtfname.gettext()+"' ";
and got error like:
malformed sql statement: expected ',', found 'anuja'`. statement:update db set lname = 'df',atc_code = '323',atc_name= 'sd',course_name = 'd',course_fee = '534',where fname = 'anuja'
remove last ,
set
statement:
string sql = "update db " + "set lname = '"+txtlname.gettext()+"'," + "atc_code = '"+txtatccode.gettext()+"'," + "atc_name= '"+txtatcname.gettext()+"'," + "course_name = '"+txtcoursename.gettext()+"'," + "course_fee = '"+txtcoursefee.gettext() + //here not need ' "where fname = '"+txtfname.gettext()+"' ";
on side note, kind of sql command generation(concatenating strings contains values) suspect sql injection attacks, prevent type of attacks, use paramaters , set parameters values instead. see sql injection more information.
Comments
Post a Comment