Delphi 10 - SQL statement Syntax error Update

Question

I have no idea whats wrong with my Code it keeps giving my an Synxtax error in UPDATE statement here is the code :

  adoQueryUsers.SQL.Clear;
      adoQueryUsers.SQL.Add('Update Users SET Password = "' +
          EdtPassword.Text + '"  where Username = "' + sUsername + '"  ');
      adoQueryUsers.Active := true;
      adoQueryUsers.ExecSQL;

I did try using adoQueryUsers.SQL.Text : = but it gives me the exact same problem.

Answer 1

You have several issues in your code.

Let's start with the inappropriate call to

adoQueryUsers.Active := true;

You only use TADOQuery.Active or TADOQuery.Open on a SQL statement that returns a rowset. Your statement does not do so, so remove that statement. The TADOQuery.ExecSQL is the only one that is relevant here.

Next, stop trying to concatenate SQL, and use parameters instead. It's no more code and it properly handles things like quoting values, formatting dates, etc. It also prevents SQL injection issues for you.

adoQueryUsers.SQL.Clear;
adoQueryUsers.SQL.Add('Update Users SET Password = :Password')
adoQueryUsers.SQL.Add('Where UserName = :UserName');
adoQueryUsers.Parameters.ParamByName('Password').Value := EdtPassword.Text;
adoQueryUsers.Parameters.ParamByName('UserName').Value := sUserName;
adoQueryUsers.ExecSQL;

Answer 2

Remove your 'adoQueryUsers.Active := true;'. This is an update statement and don't return a recordset. Only your ExecSQL is needed.

Also, I would use parameters instead of parsing the password and user directly into the query or you're exposed to SQL injection