locked
Data type mismatch in criteria expression , Syntax error in UPDATE statement RRS feed

  • Question

  • User-1998474842 posted

    hi guys

    why in update link have this error  Syntax error in UPDATE statement. ?

    why in delete link have this error  Data type mismatch in criteria expression. ?

        protected void textBAID_Click(object sender, EventArgs e)
        {
            if (Page.IsPostBack)
            {
                string strSQL = null;
    
                string strConnection = ConfigurationManager.ConnectionStrings["AccessDADB"].ConnectionString;
                strSQL = "Update Dawabka_Basket SET ([Basket_Perm] = ?)  where BAID = '" + Request.QueryString["BAID"] + "'";
    
                //Call Open database - connect to the database
    
                OleDbConnection objConnection = new OleDbConnection(strConnection);
                OleDbCommand objCommand = new OleDbCommand(strSQL, objConnection);
    
                objConnection.Open();
                objCommand.Parameters.AddWithValue("@Basket_Perm", "1");
                objCommand.ExecuteNonQuery();
                objCommand = null;
                objConnection.Close();
                objConnection = null;
    
                lblSSuccess.Text = "به‌سه‌رکه‌وتوی یه‌که‌ی نیشته‌جێ بون زیاد کرا, چاوه‌روان به‌ بۆ ده‌رکه‌وتن له‌ لیستی یه‌که‌کان.";
                lblSSuccess.ForeColor = ColorTranslator.FromHtml("green");
            }
        }
        protected void textBAID_Click1(object sender, EventArgs e)
        {
            if (Page.IsPostBack)
            {
                string strSQL = null;
    
                string strConnection = ConfigurationManager.ConnectionStrings["AccessDADB"].ConnectionString;
                strSQL = "DELETE FROM Dawabka_Basket where [BAID] ='" + Request.QueryString["BAID"] + "' ";
    
                //Call Open database - connect to the database
    
                OleDbConnection objConnection = new OleDbConnection(strConnection);
                OleDbCommand objCommand = new OleDbCommand(strSQL, objConnection);
    
                objConnection.Open();
                objCommand.ExecuteNonQuery();
                objCommand = null;
                objConnection.Close();
                objConnection = null;
    
                lblSSuccess.Text = "به‌سه‌رکه‌وتوی یه‌که‌ی نیشته‌جێ بون زیاد کرا, چاوه‌روان به‌ بۆ ده‌رکه‌وتن له‌ لیستی یه‌که‌کان.";
                lblSSuccess.ForeColor = ColorTranslator.FromHtml("green");
            }
        }
                        <asp:TemplateField HeaderText="Goren">
                            <ItemTemplate>
                                <asp:LinkButton ID="textBAID" runat="server" CommandArgument='<%# Eval("BAID").ToString() %>' OnClick="textBAID_Click">update</asp:LinkButton>
                                <asp:LinkButton ID="LinkButton1" runat="server" CommandArgument='<%# Eval("BAID").ToString()  %>' OnClick="textBAID_Click1">delet</asp:LinkButton>
    
                            </ItemTemplate>
                        </asp:TemplateField>

    Friday, January 11, 2019 4:34 PM

All replies

  • User1120430333 posted

    Maybe, the Request.QueryString["BAID"]  has a quote in it that is making the T-SQL malformed. 

    On the other hand, the solution is open to SQL Injection attack.

    You should learn how to use parameterized inline T-SQL to stop malformed T-SQL issues and strop SQL Injection attacks too.

    Friday, January 11, 2019 4:47 PM
  • User753101303 posted

    Hi,

    What do you have in Request.QueryString["BAID"] ? I assume BAID is supposed to be an integer ? If you compare that to an empty string you could likely have this issue (ie you are trying to compare an integer to an empty string).

    Not directly related but it could be best to just always use parameters and native values (ie to pass an integer as an integer and not as a string). For now you even mix both using a parameter and string concatenation into a single SQL statement ?!

    Friday, January 11, 2019 4:52 PM