CODEWITHSUNDEEP
c#sql
user2961698
user2961698

Reputation: 9

Incorrect syntax near '=' in c# .net

i m trying to update data in database but it is showing an exception that is Incorrect syntax near '='. 

 SqlCommand cmd = new SqlCommand("upgrade LoginForm set Password ='" + txtConPassword.Text + "' where UserName ='" + txtUser.Text + "' ", conn);
                var test = cmd.ExecuteNonQuery();
                if (test == 1)
                {
                    MessageBox.Show("Password has been reset");
                }
                else
                {
                    MessageBox.Show("Password did not reset");
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show("Failed....." + ex.Message);

            }

Upvotes: 0

Views: 1775

Answers (4)

Mukesh Sagar
Mukesh Sagar

Reputation: 31

You can use the same code in another way as :

SqlCommand cmd = new SqlCommand();
cmd.CommandType = CommandType.Text;
cmd.CommadnText = "update LoginForm set Password ='" + txtConPassword.Text + "' where UserName ='" + txtUser.Text + "'";
cmd.Connection = conn;
conn.Open();
                var test = cmd.ExecuteNonQuery();
                if (test == 1)
                {
                    MessageBox.Show("Password has been reset");
                }
                else
                {
                    MessageBox.Show("Password did not reset");
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show("Failed....." + ex.Message);

            }
            finally
            {
               if (conn.State == ConnectionState.Open)
               {
                   conn.Close();
               }
            }

Upvotes: -2

Sudhakar Tillapudi
Sudhakar Tillapudi

Reputation: 26209

In your sql query you are using upgrade please use update instead of upgrade

Replace this:

SqlCommand cmd = new SqlCommand("upgrade LoginForm set Password ='" + txtConPassword.Text + "' where UserName ='" + txtUser.Text + "' ", conn);

With following :

SqlCommand cmd = new SqlCommand("update LoginForm set Password ='" + txtConPassword.Text + "' where UserName ='" + txtUser.Text + "' ", conn);

More over please don't assign your values directly into sql Parameter query as it can lead to sql parameter Injection Attacks.

Upvotes: 1

Steve Martin
Steve Martin

Reputation: 1642

UPGRADE should be UPDATE

Also, please look up SQL Parameterisation and password hashing before you release any code to production

Upvotes: 0

gzaxx
gzaxx

Reputation: 17600

First change your upgrade to update. Second use parametrized queries.

SqlCommand cmd = new SqlCommand("update LoginForm set Password = @password where UserName = @user", conn);
cmd.Parameters.AddWithValue("@password", txtConPassword.Text);
cmd.Parameters.AddWithValue("@user", txtUser.Text);
var test = cmd.ExecuteNonQuery();

if (test == 1)
{
    MessageBox.Show("Password has been reset");
}
else
{
    MessageBox.Show("Password did not reset");
}

Parametrized queries secure you from SQL Injection attacks. Also variable types are resolved by framework (useful when passing DateTime variable to query).

Also please tag your questions more precisely because there are a lot of DBMS engines and sometimes it may be hard to guess what DBMS you are using.

Upvotes: 4

Related Questions