hello guys i have problem with running update query from Microsoft access 2013 i just want to update client table with client id and name and phone i cant get the data to be update always error in syntax
string I = "UPDATE client SET client.ID =" + ID.Text + " ,client.Name =" + Name.Text + " ,client.Phone = " + Phone.Text + " WHERE client.ID="+ ID.Text +"";
command.CommandText = I;
command.CommandType = CommandType.Text;
connection.Open();
command.ExecuteNonQuery();
You need to use a parameterized query, like this:
string I = "UPDATE client SET client.Name = ?, client.Phone = ? WHERE client.ID = ?";
command.CommandText = I;
command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("?", Name.Text);
command.Parameters.AddWithValue("?", Phone.Text);
command.Parameters.AddWithValue("?", ID.Text);
connection.Open();
command.ExecuteNonQuery();
Note that it makes no sense to "SET" client.ID since it is not going to change.
Related
I'm trying to execute multiple updates like this
UPDATE clients SET name = :name WHERE clientId = :clientID
I've tried something like this
OracleConnection con = new OracleConnection(connectionString);
con.Open();
OracleCommand cmd = new OracleCommand();
cmd.Connection = con;
cmd.CommandText =
"begin " +
" UPDATE clients SET name = " + name1 + " WHERE clientId = " + clientId1 +
" UPDATE clients SET name = " + name2 + " WHERE clientId = " + clientId2 +
"end;";
cmd.CommandType = CommandType.Text;
cmd.ExecuteNonQuery();
con.Close();
but I need to execute hundreds of parameterized updates like the first one
can any one please help. I have a table with three fields a field Amount, LatestUpdate and Note, I want to update the three fields using parameters to avoid any sql injection. I need help on writing them the correct way using parameter.Add().
here is the code.
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = convert(nvarchar(4000),#notes) + '. " + item.notes + "' WHERE ID=1";
com.Parameters.Add("#amount", item.amount.ToString());
com.Parameters.Add("#latestUpdate", item.fuelingDate.ToString());
com.Parameters.Add("#notes", item.notes.ToString());
You're nearly there.. You want something like
com.Parameters.Add("#amount", SqlDbType.Int).Value = item.amount;;
com.Parameters.Add("#latestUpdate", SqlDbType.DateTime).Value = item.fuelingDate;;
com.Parameters.Add("#notes", SqlDbType.NVarChar).Value = item.notes;
Don't forget to include using System.Data;
You need to add parameters along with the SqlDBType. Do not use the AddWithValue method because several article mention that it is not very safe. I would use the following:
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = #notes WHERE ID=1";
SqlParameter parameter = new SqlParameter("#amount", System.Data.SqlDbType.Int);
parameter.Value = item.amount;
com.Parameters.Add(parameter);
parameter = new SqlParameter("#latestUpdate", System.Data.SqlDbType.DateTime);
parameter.Value = item.fuelingDate;
com.Parameters.Add(parameter);
parameter = new SqlParameter("#notes", System.Data.SqlDbType.NVarChar);
parameter.Value = item.notes;
com.Parameters.Add(parameter);
--UPDATE--
To update the notes instead of overwriting, just change the commandText:
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = Notes + #notes WHERE ID=1";
this is the final code that works, I am sharing it in case anyone else needs it. Thank you all for your help.
com.CommandText = "update tblStore set Amount=Amount + #amount, LatestUpdate=#latestUpdate, Notes = convert(nvarchar(4000),Notes) + '.' + #notes WHERE ID=1";
com.Parameters.Add("#amount", SqlDbType.Int).Value = item.amount; ;
com.Parameters.Add("#latestUpdate", SqlDbType.DateTime).Value = item.fuelingDate; ;
com.Parameters.Add("#notes", SqlDbType.NVarChar).Value = item.notes;
are you looking for this ?
com.CommandText = "update tblStore set Amount=Amount + #amount,
LatestUpdate=#latestUpdate, Notes = convert(nvarchar(4000),#notes) + '. " +
item.notes + "' WHERE ID=1";
com.Parameters.AddWithValue("#amount", item.amount.ToString());
com.Parameters.AddWithValue("#latestUpdate", item.fuelingDate.ToString());
com.Parameters.AddWithValue("#notes", item.notes.ToString());
I am trying to retrieve "customer_id" from Customer table and insert it into
fare_tariff(tariff_id, customer_id, total_price)
So I retrieve the customer_id from Customer table as below:
using (SqlCommand command = new SqlCommand("SELECT customer_id FROM Customer WHERE UserName = '" + username + "' Password = '"+password +"' ", connection))
{
string cust_id = customer_id.ToString();
SqlDataReader myReader = command.ExecuteReader();
if (myReader.Read())
{
cust_id = myReader["customer_id"].ToString();
}
int c_id = Convert.ToInt32(cust_id);
myReader.Close();
custID(c_id);
}
and insert the customer_id into table fare_tariff like below:
using (SqlCommand command = new SqlCommand("INSERT INTO flight_reservation(tariff_id, customer_id, total_price) VALUES(#val1,#val2,#val3)", connection))
{
command.Parameters.Add("#val1", SqlDbType.Int).Value = tariff_id;
command.Parameters.Add("#val2", SqlDbType.Int).Value = customer_id;
command.Parameters.Add("#val3", SqlDbType.VarChar).Value = total_price.ToString();
command.ExecuteNonQuery();
}
I declared customer_id as a variable for storing customer_id.
Problem is : tariff_id and total_price inserted successfully but the column customer_id is null yet.
Help needed.
Fetching data to the client and returning row by row back to the server
can well produce big overhead. There's better way to do the same,
so called "insert/select" query:
using (SqlCommand command = connection.CreateCommand()) {
command.CommandText =
"insert into Flight_Reservation(\n" +
" Customer_Id,\n" +
" Tariff_Id,\n" +
" Total_Price)\n" +
" select Customer_Id,\n" +
" #prm_Tariff_Id,\n" +
" #prm_Total_Price\n" +
" from Customer\n" +
" where (UserName = #prm_UserName)\n" +
" (Password = #prm_Password)";
command.Parameters.Add("#prm_Tariff_Id", SqlDbType.VarChar, 80).Value = tariff_id;
command.Parameters.Add("#prm_Total_Price", SqlDbType.VarChar, 80).Value = total_price.ToString();
command.Parameters.Add("#prm_UserName", SqlDbType.VarChar, 80).Value = username;
command.Parameters.Add("#prm_Password", SqlDbType.VarChar, 80).Value = password;
command.ExecuteNonQuery();
}
string selectedAreas = getSelectedAreas(areaCounts);
SqlConnection cn = new SqlConnection(connectionstring);
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "select top 1 [x1] " +
"from sometable " +
"where sometable.coll = #selectedAreas" +
"order by NEWID() ";
cmd.CommandType = System.Data.CommandType.Text;
cmd.Connection = cn;
cmd.Parameters.AddWithValue("#selectedAreas", selectedAreas);
What am I doing wrong here?
I get
Must declare the scalar variable for #selectedAreas.
#selectedAreas might become something like:
" 'nyc' or sometable.coll = 'la' or sometable.coll = 'miami' "
Edit:
I added the space as the comment below pointed out. And removed the paramter, like this:
cmd.CommandText = "select top 1 [x1] " +
"from sometable " +
"where sometable.coll = " + selectedAreas
" order by NEWID() ";
Dont know how correct it is but it works for now...
It could be the way you are running the command (which you didn't include in your question), such as in this case: Must Declare Scalar Variable
first time I'm doing an insert from ASP.NET/C# and I'm having a little issue. I keep getting the following error every time this code runs: " ExecuteNonQuery: CommandText property has not been initialized" Does anyone know what this means and how I fix it?
Thanks in advance!
string sqlQuery = "INSERT INTO ATI_LOG_IO (Date, Connect_Time, Disconnect_Time, ATI_Rep, Reason_For_Access, Property_Contact, Case_Number, Comments, Property_ID)";
sqlQuery += "VALUES (#Today, #Connect, #Disconnect, #Rep, #Reason, #Contact, #CaseNum, #Comments, #PropertyID)";
using (SqlConnection dataConnection = new SqlConnection(connectionString))
{
using (SqlCommand dataCommand = dataConnection.CreateCommand())
{
dataConnection.Open();
dataCommand.CommandType = CommandType.Text;
dataCommand.CommandText = sqlQuery;
dataCommand.Parameters.Add("#Today", DateTime.Today.ToString());
dataCommand.Parameters.Add("#Connect", txtInDate.Text + " " + fromHrs.Text + ":" + fromMins.Text + ":00");
dataCommand.Parameters.Add("#Disconnect", txtOutdate.Text + " " + toHrs.Text + ":" + fromMins.Text + ":00");
dataCommand.Parameters.Add("#Rep", repID);
dataCommand.Parameters.Add("#Reason", txtReason.Text);
dataCommand.Parameters.Add("#Contact", txtContact.Text);
dataCommand.Parameters.Add("#CaseNum", txtCaseNum.Text);
dataCommand.Parameters.Add("#Comments", txtComments.Text);
dataCommand.Parameters.Add("#PropertyID", lstProperties.SelectedValue);
dataCommand.ExecuteNonQuery();
dataConnection.Close();
}
}
string sqlQuery = "INSERT INTO ATI_LOG_IO (Date, Connect_Time, Disconnect_Time, ATI_Rep, Reason_For_Access, Property_Contact, Case_Number, Comments, Property_ID)";
sqlQuery += " VALUES (#Today, #Connect, #Disconnect, #Rep, #Reason, #Contact, #CaseNum, #Comments, #PropertyID)";
using (SqlConnection dataConnection = new SqlConnection(connectionString))
{
using (SqlCommand dataCommand = new SqlCommand(sqlQuery, dataConnection))
{
dataCommand.Parameters.AddWithValue("Today", DateTime.Today.ToString());
dataCommand.Parameters.AddWithValue("Connect", txtInDate.Text + " " + fromHrs.Text + ":" + fromMins.Text + ":00");
dataCommand.Parameters.AddWithValue("Disconnect", txtOutdate.Text + " " + toHrs.Text + ":" + fromMins.Text + ":00");
dataCommand.Parameters.AddWithValue("Rep", repID);
dataCommand.Parameters.AddWithValue("Reason", txtReason.Text);
dataCommand.Parameters.AddWithValue("Contact", txtContact.Text);
dataCommand.Parameters.AddWithValue("CaseNum", txtCaseNum.Text);
dataCommand.Parameters.AddWithValue("Comments", txtComments.Text);
dataCommand.Parameters.AddWithValue("PropertyID", lstProperties.SelectedValue);
dataConnection.Open();
dataCommand.ExecuteNonQuery();
dataConnection.Close();
}
}
Copy-paste should do the trick
This usually means you haven't set the CommandText property, but in your case, you have.
You should try testing that the sqlQuery string is actually not empty at this line:
dataCommand.CommandText = sqlQuery;
P.S. As a "best practice", you may want to consider opening the connection AFTER setting up the SqlCommand object, to minimize the time spent with an open connection:
dataCommand.CommandType = CommandType.Text;
dataCommand.CommandText = sqlQuery;
dataCommand.Parameters.Add("#Today", DateTime.Today.ToString());
//...
dataConnection.Open();
dataCommand.ExecuteNonQuery();
dataConnection.Close();
Looking at your string sql query, you're not leaving a space between the "INTO" part and "VALUES" part.
...............Property_ID)";
sqlQuery += "VALUES (#Today, ..............
SHOULD BE:
...............Property_ID)";
sqlQuery += " VALUES (#Today, ..............