11

Hi following Code gives a Syntax Error.I don't know how to fix the Problem.

The Error

{"SQLite error\r\nnear \"Mytext\": syntax error"}

My Code

string dataSource = "Database.s3db";
SQLiteConnection connection = new SQLiteConnection();
connection.ConnectionString = "Data Source=" + dataSource;
connection.Open();
SQLiteCommand command = new SQLiteCommand(connection);
command.CommandText = ("update Example set Info ='" + textBox2.Text + ", Text ='"+textBox3.Text + "where ID ='" + textBox1.Text +"'");
command.ExecuteNonQuery();
Improve this question
2
  • 3
    To avoid this kind of errors (and SQL injections), you should use query parameters, not create the SQL command string dynamically. Commented Mar 4, 2012 at 15:37
  • 2
    @user1248067: Please don't use the accepted answer as-is. You should really, really use parameterized SQL. Commented Mar 4, 2012 at 15:47

2 Answers 2

Reset to default
30

Others have suggested alternative ways of constructing the SQL, but you shouldn't be including the values in the SQL at all. You should be using a parameterized query, which avoids SQL injection attacks amongst other things.

It's not immediately clear to me which driver you're using, but assuming it's the Devart.com one, the documentation for SQLiteCommand.Parameters gives a good example of how to do this. In your case, the code would become something like:

string dataSource = "Database.s3db";
using (SQLiteConnection connection = new SQLiteConnection())
{
    connection.ConnectionString = "Data Source=" + dataSource;
    connection.Open();
    using (SQLiteCommand command = new SQLiteCommand(connection))
    {
        command.CommandText =
            "update Example set Info = :info, Text = :text where ID=:id";
        command.Parameters.Add("info", DbType.String).Value = textBox2.Text; 
        command.Parameters.Add("text", DbType.String).Value = textBox3.Text; 
        command.Parameters.Add("id", DbType.String).Value = textBox1.Text; 
        command.ExecuteNonQuery();
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'm not sure if it is a version issue; but I had to use "DbType.String" in place of "SqLiteType.Text". I'm using SQLite version 1.0.99
1

So, use the above answer as parameterised SQL is best practice.

But, to answer your question on syntax - there's two issues:

command.CommandText = ("update Example set Info ='" + textBox2.Text + ", Text ='"+textBox3.Text + "where ID ='" + textBox1.Text +"'");

Here, you're not closing the single quote after you've written the set Info ='" + textBox2.Text + ", Text

It should be: set Info ='" + textBox2.Text + "', Text

^^ with a closing ' after the double quote.

You've made same mistake with textBox3.

Also, Text ='"+textBox3.Text + "where

There's no space before the where keyword.

Tip: when having errors like this, output SQL to console & inspect string constructed. But parameterised is best approach.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.