Reputation: 1
Syntax error in SQL update query
I'm trying to update a table in MSAccess whose fields have data type of 'Text'. But when I run the code it shows sysntax error in UPDATE statement. Here is my vb code:
Dim user As String Dim password As String Dim dtT As New DataTable
Dim cmd As New OleDb.OleDbCommand
user = Me.TextBox1.Text
password = Me.TextBox2.Text
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
Try
Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)
' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight)
daA.Fill(dtT)
Me.DG1.DataSource = dtT
'password = DG1.Item(0, 0).Value
'ss1 = DG1.Item(1, 0).Value
If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then
cmd.Connection = cnn
cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
System.Console.WriteLine(cmd.CommandText)
Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)
If result = DialogResult.Yes Then
cmd.ExecuteNonQuery()
MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
Panel1.Hide()
End If
Else
MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)
End If
cnn.Close()
Catch ex As Exception
MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
End Try
Upvotes: 0
Views: 226
Answers (3)
Reputation: 216263
Never use string concatenation to create SQL commands. Use always PARAMETERS
This will resolve two problems:
Single quote inside your strings, but, the most important thing, avoid SQL Injection Attacks
Dim cmd As New OleDb.OleDbCommand
user = Me.TextBox1.Text
password = Me.TextBox2.Text
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
Try
Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE `password` =?", cnn)
daA.SelectCommand.Parameters.AddWithValue("@pass", password);
daA.Fill(dtT)
Me.DG1.DataSource = dtT
If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then
cmd.Connection = cnn
cmd.CommandText = "UPDATE adlogin SET `password` = ? WHERE `user` = ?"
Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)
If result = DialogResult.Yes Then
cmd.Parameters.AddWithValue("@pass", Me.TextBox3.Text)
cmd.Parameters.AddWithValue("@user", user)
cmd.ExecuteNonQuery()
MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
Panel1.Hide()
End If
Else
MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)
End If
cnn.Close()
Catch ex As Exception
MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
End Try
Upvotes: 2
Reputation: 7438
You need to put a space after the * on this line :
Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)
to
Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)
You also need to put your variable between '
cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
to
cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user ='" & Me.TextBox1.Text & "'"
Upvotes: 0
Reputation: 360572
A couple things:
SELECT *FROM adlogin etc...
^---no space
UPDATE adlogin [..snip...] WHERE user =" & Me.TextBox1.Text
^---- is "user" a numeric field? needs quotes if not.
Upvotes: 0
Related Questions
- VB.NET Syntax error in UPDATE statement
- UPDATE query syntax error in vb.net using mysql
- Solve error in update query
- Syntax error in UPDATE statement OleDb Exception
- There is a Syntax error in UPDATE statement
- SYNTAX error with Update statement VB.NET
- Syntax Error in SQL UPDATE statement but it all seems ok :(
- update syntax error in the code any help on this
- SQL syntax error in Update statement VB.net
- syntax error in sql update statement in vb