Search code examples
c#mysql.net-2.0sql-update

Updating my database won't work because of incorrect syntax for MySql

I am trying to update my database but then this error about my syntax shows up

MySql.Data.MySqlClient.MySqlException: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(platenumber,brand,model,yearmodel,regdate,exdate,odometer) set id = '1' values(' at line 1'

I am not too familiar with MySQl but I got rid of all the errors it showed here in my code

 private void savebtn_Click(object sender, EventArgs e)
    {
        string ID = idtxt.Text;

        MySqlCommand cmd = new MySqlCommand("update inventory.vehicle(platenumber,brand,model,yearmodel,regdate,exdate,odometer) set id = '" + this.idtxt.Text + "' values(@platenumber, @brand, @model,@yearmodel, @regdate, @exdate,@odometer) where id = '"+ this.idtxt.Text +"'", conn);

        cmd.Parameters.Add("@platenumber", MySqlDbType.VarChar, 10).Value = pnumber.Text;
        cmd.Parameters.Add("@brand", MySqlDbType.VarChar, 60).Value = brand.Text;
        cmd.Parameters.Add("@model", MySqlDbType.VarChar, 45).Value = model.Text;
        cmd.Parameters.Add("@yearmodel", MySqlDbType.Int32).Value = yearmodel.Text;
        cmd.Parameters.Add("@regdate", MySqlDbType.Date).Value = datereg.MinDate;
        cmd.Parameters.Add("@exdate", MySqlDbType.Date).Value = regexp.MinDate;
        cmd.Parameters.Add("@odometer", MySqlDbType.Decimal).Value = odometer.Text;



        int i = cmd.ExecuteNonQuery();
        if (i != 0)
        {
            MessageBox.Show("Success");
        }
        else
        {   
            MessageBox.Show("Fail");
        }

        this.Close();
    }

what could be causing this error?

Solution

  • As stated in the error, your query is wrong

    MySqlCommand cmd = new MySqlCommand(
  "update inventory.vehicle 
  (platenumber,brand,model,yearmodel,regdate,exdate,odometer) 
  set id = '" + this.idtxt.Text + "' 
  values(@platenumber, @brand, @model,@yearmodel, @regdate, @exdate,@odometer)
  where id = '"+ this.idtxt.Text +"'", conn);

    mustn't have values part and should look like

    UPDATE inventory.vehicle SET 
  platenumber=@platenumber,
  brand=@brand
  model=@model,
  ....
WHERE id = @id

    Don't ever use string join inside a query, but use parameters instead for two main reasons:

    1. You don't go crazy combining strings
    2. Your query won't suffer for SQL injection

    So even WHERE id= part must use a parameter!