-1

So,

Trying to write a very simple method to update a single column in a database. I keep getting a runtime error of "Syntax Error" near the commented line below

public void SaveStatus(string id, string step)
    {
        // assuming that there is only one matching student ID
        connect = new SqlConnection(connectionString);
        connect.Open();
        dataSet = new DataSet();
        string command = "SELECT * FROM tblSubmissions WHERE Id = " + id;
        dataAdapter = new SqlDataAdapter(command, connect);

        dataAdapter.Fill(dataSet, "tblSubmissions");  // syntax error near here

        dataSet.Tables[0].Rows[0]["StatusID"] = step;

        dataAdapter.Update(dataSet, "tblSubmissions");
        dataAdapter.Dispose();
        connect.Close();
        connect.Dispose();

    }

Hoping someone can point out the obvious problem I'm missing

deadEddie
  • 242
  • 2
  • 8
  • 20

1 Answers1

3

The query should be "SELECT * FROM tblSubmissions WHERE Id = 'id_value' - you're missing the quotes around the id value.

Use a parametrised query instead of string concatenation to fix your problem and get rid of the SQL injection issue:

SqlCommand cmd = new SqlCommand("SELECT * FROM tblSubmissions WHERE Id = @id" , connect);
cmd.Parameters.Add("@id", SqlDbType.UniqueIdentifier);
cmd.Parameters["@id"].Value = id;
Marek Grzenkowicz
  • 17,024
  • 9
  • 81
  • 111
  • Thanks Marek. So, I have since realized that the data type in the table I'm saving this value to is a Guid, so even though you gave me the best possible answer to the question I asked, I'm a little stuck on that (since there isn't a SqlDbType.Guid) – deadEddie Oct 18 '13 at 23:21
  • @deadEddie I that case I think you need to use `SqlDbType.UniqueIdentifier`. – Marek Grzenkowicz Oct 19 '13 at 14:55