0 
cmd.Connection = con;
con.Open();
cmd.CommandText = "Update tiit.Enquiry Set Status='" + DropDownList4.SelectedValue + "', NextFollowup='" + TextBox8.Text + "', Remarks='" + TextBox9.Text + "', Name='" + TextBox1.Text + "', Email='" + TextBox2.Text + "', Phone='" + TextBox3.Text + "','','','','', City='" + TextBox4.Text + "', Country='" + TextBox5.Text + "', Course='" + TextBox6.Text + "', Comments='" + TextBox7.Text + "', Cost='" +TextBox14.Text+ "' where SN='" + HiddenField1.Value + "'";
int i = cmd.ExecuteNonQuery();
con.Close();
Improve this question
1
  • Please post more details Commented Jan 5, 2011 at 10:04

2 Answers 2

Reset to default
3

No, don't do this. Never use string concatenations (+ operator) when building your SQL queries. Use parametrized queries:

cmd.Connection = con; 
con.Open(); 
cmd.CommandText = "UPDATE tiit.Enquiry Set Status=@Status, NextFollowup=@NextFollowup, ...";
cmd.Parameters.AddWithValue("@Status", DropDownList4.SelectedValue);
cmd.Parameters.AddWithValue("@NextFollowup", TextBox8.Text);
...

This way your code won't be vulnerable to SQL injection and you won't have any encoding problems.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

In all probability this:

"Update tiit.Enquiry Set Status='"

is you problem. (I'm talking about the .)

I completely agree however - use parametrised queries.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.