Home/ Questions/Q 5849379
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T12:59:28+00:00

I’m a newb here, and it may be because I’ve been up since yesterday

  • 0

I’m a newb here, and it may be because I’ve been up since yesterday morning, but I can’t find my error here in this insert statement. My handler asked me not to parameterize for this training project (it won’t be deployed), so no worries for the injection vulnerabilities. Anyway, the query’s right, the data types are correct, and the table and field names are spelled correctly. What am I missing here? And is there a better way to find it than just staring at the screen until it comes to you?

protected void BtnSubmit_Click(object sender, EventArgs e)
{
    string x = Request.QueryString["SubId"];
    string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionString"].ConnectionString;
    string comQuery = "INSERT INTO Submission (Status, StatusComment, StatusValue) VALUES ('" + "decline" + "', '" + TbComments.Text + "', 2) WHERE SubmissionId =" + x;
    using (SqlConnection sqlConn = new SqlConnection(connectionString))
    {
        sqlConn.Open();
        using (SqlCommand comCmd = new SqlCommand(comQuery, sqlConn))
        {
            comCmd.ExecuteNonQuery();
        }
    }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    An INSERT can’t have a WHERE clause. It makes no sense to have one, you’re putting data in, not narrowing it down.

    If you’re trying to change preexisting data, that’s an UPDATE, not an INSERT. Here’s an example:

    "UPDATE Submission
 SET Status='decline', StatusComment='" + TbComments.Text + "', StatusValue = 2
 WHERE SubmissionId = " + x
    • 0