1

I've been building a small inventory system for my workplace and have stumbled on an error that I cannot seem to fix

 private void Update(string num,string name, string quant, string location, string category, string numquery)
    {
       // "UPDATE Inventory SET Inventorynumber='"+ num +"',Inventory_Name='"+name+"', Quantity ='"+ quant+"',Location ='"+ location+"' Category ='"+ category+"' WHERE Inventorynumber ='"+ numquery +"';";
        string query = "UPDATE Inventory SET Inventorynumber='" + Convert.ToInt16(num) + "',Inventory_Name='" + name + "', Quantity ='" + quant + "',Location ='" + location + "' Category ='" + category + "' WHERE Inventorynumber ='" + Convert.ToInt16(numquery) + "'";
        if (this.OpenConnection() == true)
        {
            MySqlCommand cmd = new MySqlCommand();
            cmd.CommandText = query;
            cmd.Connection = serverconnection;
            cmd.ExecuteNonQuery();
            this.CloseConnection();
            Bind();
        }
    }

I have no idea what to change here. Any help would be appreciated.

Improve this question
4
  • 1
    Any clue to what error? I just see code, no errors. Please post stacktrace. Commented Dec 10, 2013 at 10:32
  • You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Category ='test' WHERE Inventorynumber ='2'' at line 1 Commented Dec 10, 2013 at 10:33
  • is it the numbers being in quotes? Commented Dec 10, 2013 at 10:33
  • I've taken it out of quotes without any change in result. Commented Dec 10, 2013 at 10:34

6 Answers 6

Reset to default
13

Problem: You are missing the comma after location parameter in your query.
Solution: You need to separate the parameters using a comma.

Suggestion : Use parameterized queries to avoid SQL Injection Attacks.

Try this:

private void Update(string num,string name, string quant, string location, string category, string numquery)
    {
       // "UPDATE Inventory SET Inventorynumber='"+ num +"',Inventory_Name='"+name+"', Quantity ='"+ quant+"',Location ='"+ location+"' Category ='"+ category+"' WHERE Inventorynumber ='"+ numquery +"';";
        string query = "UPDATE Inventory SET Inventorynumber=@Inventorynumber,Inventory_Name=@Inventory_Name, Quantity =@Quantity ,Location =@Location,Category =@Category WHERE Inventorynumber =@Inventorynumber";
        if (this.OpenConnection() == true)
        {
            MySqlCommand cmd = new MySqlCommand();
            cmd.CommandText = query;
            cmd.Parameters.AddWithValue("@Inventorynumber",Convert.ToInt16(num));
            cmd.Parameters.AddWithValue("@Inventory_Name",name);
            cmd.Parameters.AddWithValue("@Quantity",quant);
            cmd.Parameters.AddWithValue("@Location",location);
            cmd.Parameters.AddWithValue("@Category",category);
            cmd.Parameters.AddWithValue("@Inventorynumber",Convert.ToInt16(numquery));
            cmd.Connection = serverconnection;
            cmd.ExecuteNonQuery();
            this.CloseConnection();
            Bind();
        }
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

dude, liked your way of answering Problem,solution,suggestion ... nice
3

Yes the error is in the missing comma, but this is the result of all that mess with string concatenation that ends always in subtle syntax errors.
Why don't you use a parameterized query? It is a lot simpler to write and you avoid parsing errors like this and (more important) you avoid Sql Injections

private void Update(string num,string name, string quant, string location, string category, string numquery)
{
    string query = "UPDATE Inventory SET Inventorynumber=@num, Inventory_Name=@name, " +
                   "Quantity =@qty,Location =@loc, Category =@cat " + 
                   "WHERE Inventorynumber =@numquery";
    if (this.OpenConnection() == true)
    {
        MySqlCommand cmd = new MySqlCommand(query, serverconnection);
        cmd.Parameters.AddWithValue("@num", Convert.ToInt16(num));
        cmd.Parameters.AddWithValue("@name", name);
        cmd.Parameters.AddWithValue("@qty", quant);
        cmd.Parameters.AddWithValue("@loc", location);
        cmd.Parameters.AddWithValue("@cat", category);
        cmd.Parameters.AddWithValue("@numquery", Convert.ToInt16(numquery));
        cmd.ExecuteNonQuery();
        this.CloseConnection();
        Bind();
    }
}

As a side note I have some doubts about some parameters type. Are you sure that quantity is really a string as implied by the presence of quotes around your original value? Also the numquery and num variables are of type string, you try to convert then to short integer and then you put them inside quotes (meaning that in the database the fields are of type text). This makes no sense at all. If the database expects numbers then do not use quotes, if the database expects strings then do not try to convert. Another reason to use a parameterized query that force you to reflect on these issues.

Improve this answer

2 Comments

It's really my first time using this, I plan to clean it up. But for the moment we need it done quick and dirty.
Not to argue with you, but trust me, string concatenation is NEVER the quick way to go. I agree on the dirty part though :-)
2

You are missing a Comma between location and category. You have heard this million times befor i know, but its really much better using prepared statements so you do not have to take care of this kind of things and your code is much more readable.

Improve this answer

2 Comments

My bad. Thanks for the help. guys at work had a good laugh at me for that.
Its a very common thing, happens to all of us.
1

You missed the comma

Location ='" + location + "', Category ='" + category + "'
//  see the `,` between Location and Category
Improve this answer

Comments

1

you have missed comma(,) in query:

string query = "UPDATE Inventory SET Inventorynumber='" + Convert.ToInt16(num) + "',Inventory_Name='" + name + "', Quantity ='" + quant + "',Location ='" + location + "' Category ='" + category + "' WHERE Inventorynumber ='" + Convert.ToInt16(numquery) + "'";

Make it as:

string query = "UPDATE Inventory SET Inventorynumber='" + Convert.ToInt16(num) + "',Inventory_Name='" + name + "', Quantity ='" + quant + "',Location ='" + location + "', Category ='" + category + "' WHERE Inventorynumber ='" + Convert.ToInt16(numquery) + "'";
Improve this answer

Comments

0

Try removing the ' single quotes around the integers?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.