locked
insert query with where clause RRS feed

  • Question

  • User398667345 posted

    hi,

    i face with a simple problem

    i try to insert the records in my table by refering the login id, i got the id by

    string userId = Membership.GetUser().ProviderUserKey.ToString();

    but when i write the query

    query = String.Format("insert into test(Name) values('Hello') where Id = '" + CustId + "'");

    i got the error at runtime which said the error near the where

    the filled name are right

    what's wrong

    Wednesday, September 5, 2007 3:35 AM

Answers

  • User-1246604461 posted

    First of all, use parameterized queries, with your query you are very vulnerable to SQL injection attacks (search the web on "sql injection" and how to prevent them).

    Secondly, you cant use an insert statement the way you do, because you apparently already have a record where the value of the id column is equal to CustId.


    If you want to INSERT a NEW record, you use: insert into test(id,name) values (@id,@name) (note how I use parameterized values)
    if you want to UPDATE an EXISTING record you use: update test set name=@name where id=@id

    HTH

    Please mark the answer as answered if this helped you :)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 5, 2007 5:14 AM
  • User-364257247 posted

    u want ot update the username.. u r not inserting the record..

    so use update query instead of insert query..

    and for insert query  Where clause is not used..

    so use ur query like..

    update urtablename set username='hello' where =...ur condition..

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 5, 2007 5:15 AM

All replies

  • User-1246604461 posted

    First of all, use parameterized queries, with your query you are very vulnerable to SQL injection attacks (search the web on "sql injection" and how to prevent them).

    Secondly, you cant use an insert statement the way you do, because you apparently already have a record where the value of the id column is equal to CustId.


    If you want to INSERT a NEW record, you use: insert into test(id,name) values (@id,@name) (note how I use parameterized values)
    if you want to UPDATE an EXISTING record you use: update test set name=@name where id=@id

    HTH

    Please mark the answer as answered if this helped you :)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 5, 2007 5:14 AM
  • User-364257247 posted

    u want ot update the username.. u r not inserting the record..

    so use update query instead of insert query..

    and for insert query  Where clause is not used..

    so use ur query like..

    update urtablename set username='hello' where =...ur condition..

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 5, 2007 5:15 AM
  • User1637850196 posted

    Hi, you seem to have made only a small mistake here, 

    query = String.Format("insert into test(Name) values('Hello') where Id =" + CustId);

    this would work, you had used "" unnecessarily in your query. Do reply with your results :)


    MARK AS ANSWER if it helps - yrus

    Monday, January 10, 2011 2:22 AM