SQL Server的更新查詢錯誤

Question

錯誤：

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

Additional information: Incorrect syntax near '4'.

Unclosed quotation mark after the character string ''.

我的代碼：

public partial class editemp : Window 
{ 
    SqlConnection con = new SqlConnection(@"Data Source=Haier;Initial Catalog=HRMS;Integrated Security=True"); 
    SqlCommand cmd; 
    SqlDataReader dr; 
    int empid; 

    public editemp() 
    { 
     InitializeComponent(); 
    } 

    private void editemp_fun(object sender, RoutedEventArgs e) 
    { 
     con.Open(); 
     searchid(textBox.Text); 
     dr.Close(); 
     con.Close(); 
     con.Open(); 

     cmd = new SqlCommand("update Employee set EmpID='"+empid+ "',E_Name='" + textBox.Text + "',E_Contact='" + textBox_Copy.Text + "',Designaiton='" + textBox_Copy1.Text + "',Password='" + passwordBox.Password.ToString() + "Where EmpID='"+empid.ToString() +"'", con); 

     cmd.ExecuteNonQuery(); 
     con.Close(); 
     new employees().Show(); 
     Close(); 
    } 

    public void searchid(string name) 
    { 
     //con.Open(); 
     cmd = new SqlCommand("Select * from Employee where E_Name='"+textBox.Text+"'",con); 

     dr = cmd.ExecuteReader(); 

     while (dr.Read()) 
     { 
      empid = Convert.ToInt32(dr[0].ToString()); 
     } 
    } 

    private void cancel(object sender, RoutedEventArgs e) 
    { 
     new employees().Show(); 
     Close(); 
    } 
} 

那必須是焦點主要查詢

cmd = new SqlCommand("update Employee set EmpID='"+empid+ "',E_Name='" + textBox.Text + "',E_Contact='" + textBox_Copy.Text + "',Designaiton='" + textBox_Copy1.Text + "',Password='" + passwordBox.Password.ToString() + "Where EmpID='"+empid.ToString() +"'", con); 

在where子句中它給上面提到的錯誤。

非常感謝你

Answer 1

有一個空間之前，還有一個單引號。

所以

cmd = new SqlCommand("update Employee set EmpID='"+empid+ "',E_Name='" + textBox.Text + "',E_Contact='" + textBox_Copy.Text + "',Designaiton='" + textBox_Copy1.Text + "',Password='" + passwordBox.Password.ToString() + "' Where EmpID='"+empid.ToString() +"'", con); 

不過，我勸你做什麼已被他人在評論建議。如果沒有，你仍然可以得到錯誤，這取決於你用來構建sql命令文本的值。

Answer 2

答案是

cmd = new SqlCommand("update Employee set EmpID='"+empid+ "',E_Name='" + textBox.Text + "',E_Contact='" + textBox_Copy.Text + "',Designaiton='" + textBox_Copy1.Text + "',Password='" + passwordBox.Password.ToString() + "' Where EmpID='"+empid.ToString() +"'", con); 

謝謝NemanjanPerovic爵士和阿克沙伊馬哈詹

Answer 3

如果我理解正確的話，你想是這樣的：

string query = "UPDATE Employee SET EmpID = @empid, E_Name = @ename, E_Contact = @econtact, Designaiton = @designation, Password = @password WHERE EmpID = @empid"; 

SqlCommand cmd = new SqlCommand(query, conn); 

cmd.Parameters.AddWithValue("@empid", empid); 
cmd.Parameters.AddWithValue("@ename", textBox.Text); 
cmd.Parameters.AddWithValue("@econtact", textBox_Copy.Text); 
cmd.Parameters.AddWithValue("@designation", textBox_Copy1.Text); 
cmd.Parameters.AddWithValue("@password", passwordBox.Password.ToString()); 

注意如何我已經使用參數，而不是字符串連接，這是非常重要的。