Naturally, if you input something in a text box, you can always enter some data which is not parsed as
int
. Just check your query under debugger, and you will see what's wrong.
But you are doing it wrong. You should never create the query by concatenation of strings with strings obtained from UI. At least, you should parse data to integer (
int.Parse
or
int.TryParse
) separately. But you cannot do this because you are not using
parametrized statements. You should use them, and use typed data, not strings. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[
^].
Not only it's right thing to do, but failure to do so open up the doors to a well-known exploit called
SQL injection:
http://en.wikipedia.org/wiki/SQL_injection[
^].
So, you should never do what you are doing. In the article referenced above, importance of parametrized statements is explained. Always use them.
[EDIT]
This is a great explanation of the essence of things:
http://xkcd.com/327/[
^].
Please also see my past answers:
hi name is not displaying in name?[
^],
EROR IN UPATE in com.ExecuteNonQuery();[
^].
—SA