Update Form Fields

[nicks60610]

I am trying to update some form fields but each time I click the submit button it comes back with an error:

Syntax error near keyword "where"...

This is the code I have for the update statement:

Sub Button_Update(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click

Dim strUpdate As String
Dim strStatus = Status.SelectedItem.Value
Dim strLongDescription = DescrTxt.Text
Dim strUserName = UserTxt.Text

strUpdate = "UPDATE Kaizen SET Status = '" & strStatus & "', LongDescription = '" & strLongDescription & "', where Date = '" & Session("Date") & "' and KaizenID = '" & Session("ID") & "'"



'If Len(Trim(strSafetyAnalysis)) > 0 Then
'strSafetyAnalysis = Replace(strSafetyAnalysis, "'", "''")
'End If


Const StrConnString As String = ""

Dim objConn2 As New SqlConnection(StrConnString)

objConn2.Open()

Dim cmdUpdate As SqlCommand

cmdUpdate = New SqlCommand(strUpdate, objConn2)

cmdUpdate.ExecuteNonQuery()

objConn2.Close()


End Sub


End Class


I am calling the session variables earlier in another sub routine, is it possible they "expired"?

Thanks in advance,

 

[nicks60610]

Nevermind, missed the "extra" comma before the WHERE....


sometimes a blind man can see too ;-)

 

[ca8msm]

You should really use parameters for this function as you are leaving yourself open to an SQL Injection attack.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[nicks60610]

Yeah I know, I have been bad about that, mostly because it is all internal code (Intranet), but still i should change...

Thanks ca8msm!