Member Avatar for Duki

Hey Guys,

I'm connecting to an SQL server and updating some fields. This works:

cmd = new SqlCommand("UPDATE Laptops SET Checkout_Date = '" + form_CheckOut.checkout + "' WHERE name='pen-laptop1'", conn);
cmd.ExecuteNonQuery();

But this one doesn't:

cmd = new SqlCommand("UPDATE Laptops SET " +
" isCheckedOut = 0" +
" Checkout_Date = '" + form_CheckOut.checkout + 
"', Checkin_Date = '" + form_CheckOut.checkin +
"', Checked_Out_By = '" + form_CheckOut.user + 
"', WHERE name = 'pen-laptop1'");

cmd.ExecuteNonQuery();

EDIT - FIXED CODE BELOW

cmd = new SqlCommand("UPDATE Laptops SET isCheckedOut = 0" +
                    ", Checkout_Date = '" + form_CheckOut.checkout + 
                    "', Checkin_Date = '" + form_CheckOut.checkin +
                    "', Checked_Out_By = '" + form_CheckOut.user + 
                    "' WHERE Name = '" + name + "'", conn);
Edited by Duki because: n/a
  • 2 Contributors
  • 3 Replies
  • 73 Views
  • 22 Hours Discussion Span
  • Latest Post Latest Post by Duki
Member Avatar for Duki

NEVERMIND - didn't have ,conn);

Edited my previous post :)

Edited by Duki because: n/a
Member Avatar for kvprajapati

Suggestion: Don't use SQL query by concatenating hard-coded strings together with a string entered by the user.

Sql Injection.

Member Avatar for Duki

Very neat - I'll give that a whirl now.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.