You should always use parametrized queries or your code is vulnerable to errors as the one you are getting and even worse to SQL Injection attacks Never use string concatenations as in your code when building SQL queries. Here's the correct way: using (var conn = new SqlConnection(ConnectionString)) using (var cmd = conn.CreateCommand()) { conn.Open(); cmd. CommandText = "DELETE FROM tblCourses WHERE courseCode = @courseCode"; cmd.Parameters.
AddWithValue("@courseCode", aCourseCode); int deletedRowsCount = cmd.ExecuteNonQuery(); } This will ensure that even if the aCourseCode variable contains some escape and dangerous characters they will be properly handled.
You should always use parametrized queries or your code is vulnerable to errors as the one you are getting and even worse to SQL Injection attacks. Never use string concatenations as in your code when building SQL queries. Here's the correct way: using (var conn = new SqlConnection(ConnectionString)) using (var cmd = conn.CreateCommand()) { conn.Open(); cmd.
CommandText = "DELETE FROM tblCourses WHERE courseCode = @courseCode"; cmd.Parameters. AddWithValue("@courseCode", aCourseCode); int deletedRowsCount = cmd.ExecuteNonQuery(); } This will ensure that even if the aCourseCode variable contains some escape and dangerous characters they will be properly handled.
2 +1 Not to mention this will also escape any quotation marks in the aCourseCode variable. – Yuck Sep 2 at 17:22 thank you so much for help.... :) – Hear Smuggler Sep 6 at 4:39.
You probably have a single or double quote coming through in your aCourseCode variable.
A better way to format strings is to use something like this: lSQL = String. Format("DELETE FROM tblCourses where courseCode='{0}'", aCourseCode); Also make sure you do not have any embedded double quotes or single quotes in your variable aCourseCode. Hope that helps.
6 No, this is not a better way. It suffers from the same problems as the original code. – Darin Dimitrov Sep 2 at 17:24 I agree...I was giving him a way to format the string correctly not for the SQL operation.
– abraganza Sep 2 at 17:26 I don't see why this was downvoted. Of course, the point mentioned last is the more important one, but this is still sound advice. @Darin, while this won't solve the problem, it does make it easier to spot missing quotation marks, and thus harder to write incorrectly quoted queries.(But of course, quoting goes away once you're writing a parameterized query.It's still a useful technique in other scenarios.
) – stakx Sep 2 at 17:27 5 @stakx, I didn't downvote this answer but I think that the person who downvoted it wanted to make sure that other people having the same problem wouldn't ever use code like this. And I must agree with him. – Darin Dimitrov Sep 2 at 17:35 thank you so much for help,, :) – Hear Smuggler Sep 27 at 4:40.
You should always use parametrized queries or your code is vulnerable to errors as the one you are getting and even worse to SQL Injection attacks. Never use string concatenations as in your code when building SQL queries. This will ensure that even if the aCourseCode variable contains some escape and dangerous characters they will be properly handled.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.