Question

So Visual Studio tells me that my quotes are not right in the update statement. I feel it might be something more than that. I feel I am close but I don't see where I am going wrong in this sql statement. The point of the webpage is to update the database that is all for this step. Can someone help me out.

Here is my code.

P.S. - I did an insert statement similar to this but the string idString part all the way to the softwareReportRecord.Close(); was beneath the update statement and it worked.

    using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        reportDateText.Text = DateTime.Today.ToShortDateString();
        //code page 429
        if (Page.IsPostBack)
        {
            Page.Validate();
            if (Page.IsValid)
            {

                bugReportForm.Visible = false;
                regMessage.Visible = true;
                string typeOS = oSListbox.SelectedValue;
                string reportDate = reportDateText.Text;
                string hardware = hardwareText.Text;
                string occurrence = occurrenceRadioButtonList.SelectedValue;
                string shortDescription = shortDescriptionText.Text;
                string longDescription = longDescriptionText.Text;
                string actionsTaken = actionsTakenText.Text;
                SqlConnection dbConnection = new SqlConnection("Data Source=.\\SQLEXPRESS;Integrated Security=true");
                try
                {
                    dbConnection.Open();
                    dbConnection.ChangeDatabase("BugsReport");

                }
                catch (SqlException exception)
                {
                    if (exception.Number == 911)
                    {
                        SqlCommand sqlCommand = new SqlCommand("CREATE DATABASE BugsReport", dbConnection);
                        sqlCommand.ExecuteNonQuery();
                        regMessage.Text = "<p>Successfully created the database.</p>";
                        dbConnection.ChangeDatabase("BugsReport");
                    }
                    else
                        Response.Write("<p>Error code " + exception.Number
                            + ": " + exception.Message + "</p>");
                }
                finally
                {
                    regMessage.Text += "<p>Successfully selected the database.</p>";
                }
                try
                {
                    string SQLString = "SELECT * FROM softwareLog";
                    SqlCommand checkIDTable = new SqlCommand(SQLString, dbConnection);
                    SqlDataReader idRecords = checkIDTable.ExecuteReader();
                    idRecords.Close();
                }
                catch (SqlException exception)
                {
                    if (exception.Number == 208)
                    {
                        SqlCommand sqlCommand = new SqlCommand("CREATE TABLE softwareLog (reportID SMALLINT IDENTITY(100,1) PRIMARY KEY, typeOS VARCHAR(25), reportDate DATE, hardware VARCHAR(50), occurrence VARCHAR(15), shortDescription VARCHAR(100), longDescription VARCHAR(500), actionsTaken VARCHAR(25))", dbConnection);
                        sqlCommand.ExecuteNonQuery();
                        regMessage.Text += "<p>Successfully created the table.</p>";
                    }
                    else
                        regMessage.Text += "<p>Error code " + exception.Number
                            + ": " + exception.Message + "</p>";
                }
                finally
                {
                    string idString = "SELECT IDENT_CURRENT('softwareLog') AS reportID";
                SqlCommand newID = new SqlCommand(idString, dbConnection);
                SqlDataReader softwareReportRecord = newID.ExecuteReader();
                softwareReportRecord.Read();
                string reportID = Convert.ToString(softwareReportRecord["reportID"]);
                softwareReportRecord.Close();

                string editRecord = "UPDATE softwareLog SET "
            + "typeOS='" + typeOS + "', "
            + "reportDate='" + reportDate + "', "
            + "hardware='" + hardware + "' "
            + "occurrence='" + occurrence + "' "
            + "shortDescription='" + shortDescription + "' "
            + "longDescription='" + longDescription + "' "
            + "actionsTaken='" + actionsTaken + "' "
            + "WHERE reportID=" + reportID + ";";



                    SqlCommand sqlCommand = new SqlCommand(editRecord, dbConnection);
                    sqlCommand.ExecuteNonQuery();
                }


                dbConnection.Close();
            }
        }
    }
}




finally
                {
                    string addRecord = "INSERT INTO softwareLog VALUES('"
                        + typeOS + "', '"
                        + reportDate + "', '"
                        + hardware + "', '"
                        + occurrence + "', '"
                        + shortDescription + "', '"
                        + longDescription + "', '"
                        + actionsTaken + "')";

                    SqlCommand sqlCommand = new SqlCommand(addRecord, dbConnection);
                    sqlCommand.ExecuteNonQuery();
                }
                string idString = "SELECT IDENT_CURRENT('softwareLog') AS reportID";
                SqlCommand newID = new SqlCommand(idString, dbConnection);
                SqlDataReader softwareReportRecord = newID.ExecuteReader();
                softwareReportRecord.Read();
                string reportID = Convert.ToString(softwareReportRecord["reportID"]);
                softwareReportRecord.Close();
                regMessage.Text += "<p>Sorry for your inconvience. We will be working on your problem ASAP.  For reference your ID is  </p>" + reportID;

                dbConnection.Close();
Was it helpful?

Solution

You are missing too many "," in Update. EDIT You have single quote inside string. You need to escape those quotes also:

string editRecord = "UPDATE softwareLog SET "
    + "typeOS='" + typeOS.Replace("'", "''") + "', "
    + "reportDate='" + reportDate + "', "
    + "hardware='" + hardware.Replace("'", "''") + "',"
    + "occurrence='" + occurrence.Replace("'", "''") + "',"
    + "shortDescription='" + shortDescription.Replace("'", "''") + "',"
    + "longDescription='" + longDescription + "',"
    + "actionsTaken='" + actionsTaken.Replace("'", "''") + "'"
    + "WHERE reportID= " + reportID ;

In insert you don't need quote for reportID:

string addRecord = "INSERT INTO softwareLog VALUES('"
    + typeOS.Replace("'", "''") + "', '"
    + reportDate + "', '"
    + hardware.Replace("'", "''") + "', '"
    + occurrence.Replace("'", "''") + "', '"
    + shortDescription.Replace("'", "''") + "', '"
    + longDescription.Replace("'", "''") + "', '"
    + actionsTaken.Replace("'", "''") + "')";

OTHER TIPS

Chances are the data being passed to the query be terminating the string early. For many reasons (including this one, but also SQL injection), you should be using parameters instead of concatenation.

Try like this, 

 string editRecord = "UPDATE softwareLog SET "
          + "typeOS='" + typeOS + "', "
          + "reportDate='" + reportDate + "', "
          + "hardware='" + hardware + "',"
          + "occurrence='" + occurrence + "',"
          + "shortDescription='" + shortDescription + "',"
          + "longDescription='" + longDescription + "',"
          + "actionsTaken='" + actionsTaken + "'"
          + "WHERE reportID=" + reportID + "";

Can you please Add your Insert Statement too.

Remarks : It will better to use Parametrized SqlCommand or Store Procedure to perform this type of operation.

If you supply value with ' to any field then, it will not work. Also check value you supply for ReportId.

In this example you should be using parameters as a precaution against SQL injection as others have mentioned.

But for other strings I suggest you look into string.Format() rather than concatenating everything. Would make that string so much easier to read.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top