The SQL query works in SQL Server Management Studio. But, in Visual studio it gives an error
Incorrect syntax near D1
Code:
private void GetDataByID(string _id)
{
string connectionString = ConfigurationManager.ConnectionStrings["DatabaseConnectionString"].ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
{
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2" +
"where d1.DocumentId = d2.DocumentId and = d2.DocumentId =" + _id;
SqlCommand cmd = new SqlCommand(sqlCommand, connection);
SqlDataReader MyReader;
try
{
connection.Open();
MyReader = cmd.ExecuteReader();
while (MyReader.Read())
{
string sDueWeek = MyReader["DueWeek"].ToString();
string sTitle = MyReader["DocumentTitle"].ToString();
//string sEnglishBodyContent = MyReader["DocumentBody"].ToString();
//string sFrenchBodyContent = MyReader["DocumentBody"].ToString();
txb_Week.Text = sDueWeek;
txb_Title.Text = sTitle;
}
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
}
Change the query as shown below
"SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2
where d1.DocumentId = d2.DocumentId and d2.DocumentId ='" + _id + "'";
In your query, you also have entered = sign after and.
Try this code
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent d1 inner join KFM.dbo.ToolBoxDocument as d2 on d1.DocumentId = d2.DocumentId " + " where d2.DocumentId = " + _id;
Also it's better to write store procedure instead and call from your c# code.
private void GetDataByID(string _id)
{
string connectionString = ConfigurationManager.ConnectionStrings["DatabaseConnectionString"].ConnectionString;
string sqlCommand = "SELECT d1.*, d2.* "
+ " FROM KFM.dbo.ToolBoxDocContent as d1"
+ " INNER JOIN KFM.dbo.ToolBoxDocument as d2 ON d1.DocumentId = d2.DocumentId"
+ " WHERE d2.DocumentId = #ID";
using (SqlConnection connection = new SqlConnection(connectionString))
using (SqlCommand cmd = new SqlCommand(sqlCommand, connection))
{
cmd.Parameter.Add("#ID", SqlDbType.Int).Value = int.Parse(_id);
try
{
connection.Open();
using (SqlDataReader MyReader = cmd.ExecuteReader()_
{
while (MyReader.Read())
{
string sDueWeek = MyReader["DueWeek"].ToString();
string sTitle = MyReader["DocumentTitle"].ToString();
//string sEnglishBodyContent = MyReader["DocumentBody"].ToString();
//string sFrenchBodyContent = MyReader["DocumentBody"].ToString();
txb_Week.Text = sDueWeek;
txb_Title.Text = sTitle;
}
}
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
}
One thing I have noticed in your query is that
space is not provided properly before two joins using '+'. Use space before where
incorrect syntax at where clause. remove extra '=' after and at and = d2.DocumentId = " + _id
Your final query will look like as mentioned below:
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2" +
" where d1.DocumentId = d2.DocumentId and d2.DocumentId =" + _id;
Update:
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2" +
" where d1.DocumentId = d2.DocumentId and d2.DocumentId = '" + _id + "'";
Related
Im doing a Dynamic Query into ASP.NET using SQL Server 2016.
Basically i have some checkbox and textbox:
<asp:CheckBox ID="chk_Precio" runat="server" OnCheckedChanged="chk_Precio_CheckedChanged" AutoPostBack="true" />
<asp:TextBox ID="txtPrecio" runat="server" CssClass="enjoy-css" style="margin-bottom: 0"></asp:TextBox>
<asp:CheckBox ID="chk_Modelo" runat="server" AutoPostBack="true" OnCheckedChanged="chk_Modelo_CheckedChanged" />
<asp:TextBox ID="txtModelo" runat="server" CssClass="enjoy-css" style="margin-bottom: 0"></asp:TextBox>
<asp:Button ID="btnBuscar" CssClass="button" runat="server" Text="Buscar" OnClick="btnBuscar_Click" />
These are validated in chk_Modelo_CheckedChanged.
Inside btnBuscar_Click i have:
protected void btnBuscar_Click(object sender, EventArgs e)
{
string query = "SELECT p.OrderId AS Orden, p.OrderDate as Fechadecompra, '$'+Convert(varchar,convert(money,p.Amount),1) as PrecioCompra, c.ModelCar as Modelo, b.Description_Brand as Marca, c.Color, t.Description_Transmision as Transmision, s.StatusName AS Estado FROM PurchaseOrder AS p INNER JOIN Cars AS c ON p.IdCar = c.IdCar INNER JOIN Brand AS b ON c.IdBrand = b.IdBrand INNER JOIN TransmisionType AS t ON c.IdTransmision = t.IdTransmision INNER JOIN Status AS s on c.IdStatus = s.IdStatus where ";
string varprecio = txtPrecio.Text;
string varModelo = txtModelo.Text;
try
{
if (varprecio != "")
{
query += "(p.Amount = '"+varprecio +"') or";
}
else if(varModelo != "")
{
query += "(c.ModelCar = '"+varModelo +"') or";
}
string str = "Data Source=DESKTOP-77G5EDB\\SQLEXPRESS;Initial Catalog=TallerDB;Integrated Security=True";
SqlConnection sqlConnection = new SqlConnection(str);
SqlCommand cmd = new SqlCommand(query, sqlConnection);
sqlConnection.Open();
SqlDataReader dr = cmd.ExecuteReader();
dtgv_Compras.DataSource = dr;
dtgv_Compras.DataBind();
}
catch (Exception ex)
{
Response.Write("<script>alert('ERROR: " + ex.Message + "')</script>");
}
}
My question is:
How can i validate if my query ends with: OR, delete these OR and my query finish correctly.
query += "(p.Amount = '"+varprecio +"') or";
F.E.:
SELECT p.OrderId AS Orden, p.OrderDate as Fechadecompra, '$'+Convert(varchar,convert(money,p.Amount),1) as PrecioCompra, c.ModelCar as Modelo, b.Description_Brand as Marca, c.Color, t.Description_Transmision as Transmision, s.StatusName AS Estado
FROM PurchaseOrder AS p
INNER JOIN Cars AS c ON p.IdCar = c.IdCar
INNER JOIN Brand AS b ON c.IdBrand = b.IdBrand
INNER JOIN TransmisionType AS t ON c.IdTransmision = t.IdTransmision
INNER JOIN Status AS s on c.IdStatus = s.IdStatus where (p.Amount = '5000')
Thanks in advance
I made some changes in your button click.
protected void btnBuscar_Click(object sender, EventArgs e)
{
string query = "SELECT p.OrderId AS Orden, p.OrderDate as Fechadecompra, '$'+Convert(varchar,convert(money,p.Amount),1) as PrecioCompra, c.ModelCar as Modelo, b.Description_Brand as Marca, c.Color, t.Description_Transmision as Transmision, s.StatusName AS Estado FROM PurchaseOrder AS p INNER JOIN Cars AS c ON p.IdCar = c.IdCar INNER JOIN Brand AS b ON c.IdBrand = b.IdBrand INNER JOIN TransmisionType AS t ON c.IdTransmision = t.IdTransmision INNER JOIN Status AS s on c.IdStatus = s.IdStatus ";
string varprecio = txtPrecio.Text;
string varModelo = txtModelo.Text;
try
{
if (varprecio != "" || varModelo != "")
query += "where ";
if (varprecio != "")
{
query += "(p.Amount = '" + varprecio + "')";
if (varModelo != "")
query += " or ";
}
if (varModelo != "")
{
query += "(c.ModelCar = '" + varModelo + "')";
}
string str = "Data Source=DESKTOP-77G5EDB\\SQLEXPRESS;Initial Catalog=TallerDB;Integrated Security=True";
SqlConnection sqlConnection = new SqlConnection(str);
SqlCommand cmd = new SqlCommand(query, sqlConnection);
sqlConnection.Open();
SqlDataReader dr = cmd.ExecuteReader();
dtgv_Compras.DataSource = dr;
dtgv_Compras.DataBind();
}
catch (Exception ex)
{
Response.Write("<script>alert('ERROR: " + ex.Message + "')</script>");
}
}
Hope this will work for you. Please let me know if you will still facing issue.
Try this so you don't have to check whether they are blank or not
query += "('" + varprecio +"' = '''' or p.Amount = '" + varprecio +"') AND"
query += "('" + varModelo +"' = '''' or c.ModelCar = '"+varModelo +"')";
Which will give you
WHERE ('' = '' OR p.amount = '') AND ('' = '' or c.ModelCar = '')
or
WHERE ('abc' = '' OR p.amount = 'abc') AND ('xyz' = '' or c.ModelCar = 'xyz')
so if they are blank they are ignored on the SQL side.
I was trying in my work with oracle and i found this:
SELECT SUBSTR('select * from table where condicion = value or', 1, (LENGTH('select * from table where condicion = value or') - 2))
FROM dual where (SUBSTR ('select * from table where condicion = value or', -2,LENGTH('select * from table where condicion = value or')) = 'or');
Query:
select * from table where condicion = value or
Result:
I'll convert later to transact-sql in case someone uses the code into oracle.
When I m writing this query in the code on button click to insert the mkey in the xxacl_pn_new_cha_part_h table
it gives me error as
"ORA-00904: "A": invalid identifier"
Here is my code:-
try
{
conn.Open();
OracleDataReader sdr = cmd.ExecuteReader();
while (sdr.Read())
{
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part where mkey= " + sdr[0].ToString(); // this query gives error
cmd.ExecuteNonQuery();
strQuery = "UPDATE xxacl_pn_new_cha_part set Rating='" + sdr[2].ToString() + "', RATING_UPDATE_DATE=convert(datetime,'" + System.DateTime.Now.ToString() + "',103) WHERE mkey = " + sdr[0].ToString();
cmd.CommandText = strQuery;
cmd.ExecuteNonQuery();
}
ScriptManager.RegisterStartupScript(this, GetType(), "alertMessage", "alert('Broker rating updated succesfully');", true);
}
I am using Oracle
UPDATE
protected void btnUpdate_Click(object sender, EventArgs e)
{
OracleConnection conn = new OracleConnection(ConfigurationManager.ConnectionStrings["OracleConn"].ConnectionString);
string strQuery = "SELECT distinct ab.mkey, ab.broker_id,CASE WHEN SYSDATE - la.creation_date <= 180 THEN 'A' WHEN SYSDATE - cef_dt <= 30 THEN " +
"'B' ELSE 'C'END rating FROM xxacl_pn_new_cha_part ab,xxacl_pn_lease_det ld,xxacl_pn_leases_all la, " +
"xxcus.xxacl_pn_customer_enquiry_v ce WHERE ab.broker_id = ld.broker_id(+) AND ld.booking_no = la.booking_no(+) " +
" AND ab.broker_id = ce.broker_id(+)";
OracleCommand cmd = new OracleCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = strQuery;
cmd.Connection = conn;
try
{
conn.Open();
OracleDataReader sdr = cmd.ExecuteReader();
while (sdr.Read())
{
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
cmd.ExecuteNonQuery();
strQuery = "UPDATE xxacl_pn_new_cha_part set Rating='" + sdr[2].ToString() + "', RATING_UPDATE_DATE=convert(datetime,'" + DateTime.Now.ToString() + "',103) WHERE mkey = " + sdr[0].ToString();
cmd.CommandText = strQuery;
cmd.ExecuteNonQuery();
}
ScriptManager.RegisterStartupScript(this, GetType(), "alertMessage", "alert('Broker rating updated succesfully');", true);
}
catch (Exception ex)
{
throw ex;
}
finally
{
conn.Close();
conn.Dispose();
}
}
You are missing the alias name here, try this one
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
UPDATE:
protected void btnUpdate_Click(object sender, EventArgs e)
{
OracleConnection conn = new OracleConnection(ConfigurationManager.ConnectionStrings["OracleConn"].ConnectionString);
string strQuery = "SELECT distinct ab.mkey, ab.broker_id,CASE WHEN SYSDATE - la.creation_date <= 180 THEN 'A' WHEN SYSDATE - cef_dt <= 30 THEN " +
"'B' ELSE 'C'END rating FROM xxacl_pn_new_cha_part ab,xxacl_pn_lease_det ld,xxacl_pn_leases_all la, " +
"xxcus.xxacl_pn_customer_enquiry_v ce WHERE ab.broker_id = ld.broker_id(+) AND ld.booking_no = la.booking_no(+) " +
" AND ab.broker_id = ce.broker_id(+)";
OracleCommand cmd = new OracleCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = strQuery;
cmd.Connection = conn;
try
{
conn.Open();
OracleDataReader sdr = cmd.ExecuteReader();
while (sdr.Read())
{
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select 0, sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
cmd.ExecuteNonQuery();
strQuery = "UPDATE xxacl_pn_new_cha_part set Rating='" + sdr[2].ToString() + "', RATING_UPDATE_DATE=to_date('" + DateTime.Now.ToString() + "','dd-mm-yyyy hh:mi:ss am') WHERE mkey = " + sdr[0].ToString();
cmd.CommandText = strQuery;
cmd.ExecuteNonQuery();
}
ScriptManager.RegisterStartupScript(this, GetType(), "alertMessage", "alert('Broker rating updated succesfully');", true);
}
catch (Exception ex)
{
throw ex;
}
finally
{
conn.Close();
conn.Dispose();
}
}
You missed the alias name of a table
"insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
I am writing a code to query .CSV file using SQL below is my code which works perfectly fine
string fileDirectory = #"C:\TechnicalTest\GskTest\Csv\SampleData.csv";
string strCSVConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="
+ fileDirectory + ";Extended Properties='text;HDR=YES;'";
string sqlCust = "Select Count(order_id), order_id, contact_id from SampleData.csv "
+ "Group by order_id, contact_id "
+ "Order by 1 Desc";
string sqlProd = "Select Count(order_id), product_id from SampleData.csv "
+ "Group by product_id "
+ "Order by 1 Desc";
string sqlOrders = "Select Count(order_id) from SampleData.csv "
+"Order by 1 Desc";
OleDbConnection con = new OleDbConnection("Provider=Microsoft.Jet.OleDb.4.0; Data Source = " + System.IO.Path.GetDirectoryName(fileDirectory) + "; Extended Properties = \"Text;HDR=YES;FMT=Delimited\"");
con.Open();
OleDbDataAdapter daCust = new OleDbDataAdapter(sqlCust, con);
DataTable dtCust = new DataTable();
daCust.Fill(dtCust);
OleDbDataAdapter daProd = new OleDbDataAdapter(sqlProd, con);
DataTable dtProd = new DataTable();
daProd.Fill(dtProd);
OleDbDataAdapter daOrders = new OleDbDataAdapter(sqlOrders, con);
DataTable dtOrders = new DataTable();
daOrders.Fill(dtOrders);
con.Close();
But when I am trying to call the same code from the function by passing the file path which is retrieved from asp.net file upload control it does not work. Please see the code below.
protected void btnSubmit_Click(object sender, EventArgs e)
{
if (fupPath.HasFile)
{
string filename = Path.GetFileName(fupPath.FileName);
String csv_file_path = Path.Combine(Server.MapPath("~/Csv"), filename);
fupPath.SaveAs(csv_file_path);
Summery(csv_file_path);
DataTable csvData = GetDataTabletFromCSVFile(csv_file_path);
Response.Write("Rows count:" + csvData.Rows.Count);
//dtSummary(csvData);
}
}
protected void Summery(string fileName)
{
//string fileDirectory = #"C:\TechnicalTest\GskTest\Csv\SampleData.csv";
string fileDirectory = fileName;
//string strCSVConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="
// + System.IO.Path.GetDirectoryName(fileDirectory) + ";Extended Properties='text;HDR=YES;FMT=Delimited\'";
string sqlCust = "Select Count(order_id), order_id, contact_id from SampleData.csv "
+ "Group by order_id, contact_id "
+ "Order by 1 Desc";
string sqlProd = "Select Count(order_id), product_id from SampleData.csv "
+ "Group by product_id "
+ "Order by 1 Desc";
string sqlOrders = "Select Count(order_id) from SampleData.csv "
+ "Order by 1 Desc";
OleDbConnection conn = new OleDbConnection("Provider=Microsoft.Jet.OleDb.4.0; Data Source = " + System.IO.Path.GetDirectoryName(fileDirectory) + "; Extended Properties = \"Text;HDR=YES;FMT=Delimited\"");
//OleDbConnection conn = new OleDbConnection(strCSVConnString);
conn.Open();
OleDbDataAdapter daCust = new OleDbDataAdapter(sqlCust, conn);
DataTable dtCust = new DataTable();
daCust.Fill(dtCust);
daCust.Dispose();
OleDbDataAdapter daProd = new OleDbDataAdapter(sqlProd, conn);
DataTable dtProd = new DataTable();
daProd.Fill(dtProd);
daProd.Dispose();
OleDbDataAdapter daOrders = new OleDbDataAdapter(sqlOrders, conn);
DataTable dtOrders = new DataTable();
daOrders.Fill(dtOrders);
daOrders.Dispose();
conn.Close();
}
You need to call a sheet name SheetName$ instead of file name SampleData.csv.
For example,
Select Count(order_id), order_id, contact_id from [SheetName$]
Normally, here is how you get a file path in ASP.Net, because you do not know the drive letter where your web application is hosted. In addition, you do not have access to a file located outside of web application.
var filePath = string.Format("{0}App_Data\\ExportImport\\{1}",
HttpRuntime.AppDomainAppPath, "SampleData.csv");
I was writing a web based program and this is my authentication page. It was working fine but suddenly it started to give that error.
Here is my code:
else if (LoginAs.SelectedValue == "Student")
{
string tableName = "StudentTable";
String name = "", surname = "", email = "";
string query = "Select level from " + tableName + " where ID='" + idBox.Text + "'";
SqlCommand cmd = new SqlCommand(query, con);
string level = Convert.ToString(cmd.ExecuteScalar());
CreateUser(con, tableName, ref name, ref surname, ref email);
query = "Select program from " + tableName + " where ID='" + idBox.Text + "'";
cmd = new SqlCommand(query, con);
string program = Convert.ToString(cmd.ExecuteScalar());
MyGlobals.student = new Student(Convert.ToInt32(idBox.Text), "Active", email, name, surname, password, level, program);
MyGlobals.currentID = idBox.Text;
query = "Select * from RegisterTable where StudentID='" + idBox.Text + "'";
cmd = new SqlCommand(query, con);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
foreach (DataRow dr in dt.Rows)
{
query = "SELECT * FROM CourseTable WHERE CourseCode='" + dr["CourseCode"] + "' AND CourseNumber='" + dr["CourseNumber"] + "' AND Term='" + dr["Term"] + "'";
cmd = new SqlCommand(query, con);
SqlDataAdapter da2 = new SqlDataAdapter(cmd);
DataTable dt2 = new DataTable();
da2.Fill(dt2);
DataRow dr2 = dt2.Rows[0]; //ERROR COMES AT HERE
Course course = new Course(dr2["InstructorName"].ToString(), dr2["CourseCode"].ToString(), dr2["CourseNumber"].ToString(), dr2["CourseName"].ToString(), dr2["Term"].ToString(), dr2["CRN"].ToString(), dr2["Level"].ToString(), dr2["Credit"].ToString(), dr2["Description"].ToString(), dr2["Capacity"].ToString());
Register reg = new Register(course, MyGlobals.student);
MyGlobals.student.addToSchedule(reg);
}
int num = (int)Application["OnlineUsers"];
Response.Redirect("Student.aspx");
}
Can anyone help me with this? Thanks in advance.
You don't specify where the exception is thrown but a very common reason for this (my opinion) is that your query doesn't return any results (or rows).
I have been hearing about parametrized queries every time I ask a question about database here. It looks like I am not using parametrized queries and my code may suffer from SQL injection. So here is my code:
public void CreateStudent(int ID, String status, String email, String firstName, String lastName, String password, String level, String program)
{
SqlConnection con = new SqlConnection(GetConnectionString());
string query1 = "insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values ("
+ "'" + firstName + "'" + "," + "'" + lastName + "'" + ","
+ "'" + ID + "'" + "," + "'" + email + "'" + "," + "'" + level + "'" + "," + "'" + program + "'" + "," + "'" + status + "'"
+ "," + "'" + password + "'" + "," + "'" + "Student" + "'" + ")";
SqlCommand command = new SqlCommand(query1,con);
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
}
Here is what I have tried:
SqlConnection con = new SqlConnection(GetConnectionString());
string query1 = "insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values(#firstName,#lastName,#ID,#email,#level,#program,#status,#password,Student)";
SqlCommand command = new SqlCommand(query1,con);
command.Parameters.AddWithValue("#firstName", firstName);
command.Parameters.AddWithValue("#lastName", lastName);
command.Parameters.AddWithValue("#ID", ID);
command.Parameters.AddWithValue("#email", email);
command.Parameters.AddWithValue("#level", level);
command.Parameters.AddWithValue("#program", program);
command.Parameters.AddWithValue("#status", status);
command.Parameters.AddWithValue("#password", password);
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
This gives an error saying that Student is an invalid column name. Actually, here I try to use "Student" as a string value to be added to the column Type. Can somebody write this query as a parametrized query so that I can understand it?
In that case it should be 'Student'
SqlConnection con = new SqlConnection(GetConnectionString());
string query1 = "insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values(#firstName,#lastName,#ID,#email,#level,#program,#status,#password,'Student')";
SqlCommand command = new SqlCommand(query1,con);
command.Parameters.AddWithValue("#firstName", firstName);
command.Parameters.AddWithValue("#lastName", lastName);
command.Parameters.AddWithValue("#ID", ID);
command.Parameters.AddWithValue("#email", email);
command.Parameters.AddWithValue("#level", level);
command.Parameters.AddWithValue("#program", program);
command.Parameters.AddWithValue("#status", status);
command.Parameters.AddWithValue("#password", password);
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
Check this link
public void CreateStudent(int ID, String status, String email, String firstName, String lastName, String password, String level, String program)
{
SqlConnection con = new SqlConnection(GetConnectionString());
using (
SqlCommand command =
new SqlCommand(
#"insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values
(#name, #surname, #id, #email, #level, #program, #status,#password,'Student')",
con))
{
//
// Add new SqlParameter to the command.
//
command.Parameters.Add(new SqlParameter("name", firstName));
command.Parameters.Add(new SqlParameter("surname", lastName));
command.Parameters.Add(new SqlParameter("id", ID));
command.Parameters.Add(new SqlParameter("email", email));
command.Parameters.Add(new SqlParameter("level", level));
command.Parameters.Add(new SqlParameter("program", program));
command.Parameters.Add(new SqlParameter("status", status));
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
}
}