1. 首页
  2. 问答
  3. 语法错误在查询

语法错误在查询

2013-11-15 125 views
0

我试图运行下面的代码:语法错误在查询

private void btnUpdate_Click(object sender, EventArgs e) 
{ 
    if (txtNewPassword.Text.Length > 4 && txtNewPassword.Text.Equals(txtConfirmPassword.Text)) 
    { 
     try 
     { 
      OleDbConnection connection = new OleDbConnection(MDFConfiguration.getConnectionString()); 
      connection.Open(); 

      int updatedRecordCount = updateExistingUserRecord(connection); 

      if (updatedRecordCount > 0) 
      { 
       MessageBox.Show("Password Changed Successfully"); 
      } 
      else 
      { 
       MessageBox.Show("There was some error during updated"); 
      } 

      connection.Close(); 

     } 
     catch (Exception ex) 
     { 
      Console.WriteLine(ex.ToString()); 
      MessageBox.Show("exception: " + ex.ToString()); 
     } 
    } 
    else 
    { 
     MessageBox.Show("New Password does not match required criteria"); 
    } 
} 

private int updateExistingUserRecord(OleDbConnection connection) 
{ 
    string sql = "UPDATE " + MDFConfiguration.LOGIN_INFO_TABLE + " SET " + 
     " password = '" + MDFUtils.CreateMD5Hash(txtNewPassword.Text) + "' WHERE " + 
     " login_name = '" + cmbLoginNames.SelectedItem.ToString() + "'"; 

    Console.WriteLine("sql = " + sql); 

    OleDbCommand command = new OleDbCommand(sql, connection); 
    return command.ExecuteNonQuery(); 
}

当我运行这段代码它给我的查询语法错误在运行,但是当我运行同样的查询由Console.WriteLine在上面的代码中直接在MS Acess中打印,它运行时没有任何错误。

以下查询Console.WriteLine打印:

UPDATE MDF_LOGIN_INFO SET password = 'E206A54E97690CCE50CC872DD70EE896' WHERE login_name = 'admin'

异常日志:

A first chance exception of type 'System.Data.OleDb.OleDbException' occurred in System.Data.dll 
System.Data.OleDb.OleDbException (0x80040E14): Syntax error in UPDATE statement. 
    at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) 
    at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) 
    at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) 
    at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) 
    at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) 
    at System.Data.OleDb.OleDbCommand.ExecuteNonQuery() 
    at MDFData.AdminToolForm.updateExistingUserRecord(OleDbConnection connection) in c:\Users\UBAID ULLAH\Documents\Visual Studio 2012\Projects\Backup MDFData\MDFData\AdminToolForm.cs:line 114 
    at MDFData.AdminToolForm.btnUpdate_Click(Object sender, EventArgs e) in c:\Users\UBAID ULLAH\Documents\Visual Studio 2012\Projects\Backup MDFData\MDFData\AdminToolForm.cs:line 79

有什么建议?

来源

2013-11-15 gmuhammad

+1

你真的需要考虑使用SQL参数。你的代码,尤其是考虑到密码哈希,是令人难以置信的不安全。 – Arran

+1

'password'和'login_name'是否都是字符串?你有没有尝试用方括号包装列名,因为它们与保留名称相冲突? – James

+1

尝试在列名称周围添加括号。 '[password]'和'[login_name]' –

回答

1

总结列名在方括号 - 没准passwordlogin_name被保留,并导致与您的更新语句冲突即

UPDATE MDF_LOGIN_INFO 
SET [password] = 'E206A54E97690CCE50CC872DD70EE896' 
WHERE [login_name] = 'admin'

我也建议你看看在你的查询中使用SQL Parameters代替原料SQL,因为在当前时间开放至SQL Injection

来源

2013-11-15 15:31:09 James

相关问题

 相关问题