我在尝试更新MSAccess中其字段中的数据类型为“文本”的表。但是当我运行代码时,它会在UPDATE语句中显示sysntax错误。这里是我的VB代码:SQL更新查询中的语法错误
昏暗的用户作为字符串 昏暗的密码作为字符串 昏暗DTT作为新的DataTable
Dim cmd As New OleDb.OleDbCommand
user = Me.TextBox1.Text
password = Me.TextBox2.Text
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
Try
Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)
' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight)
daA.Fill(dtT)
Me.DG1.DataSource = dtT
'password = DG1.Item(0, 0).Value
'ss1 = DG1.Item(1, 0).Value
If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then
cmd.Connection = cnn
cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
System.Console.WriteLine(cmd.CommandText)
Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)
If result = DialogResult.Yes Then
cmd.ExecuteNonQuery()
MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
Panel1.Hide()
End If
Else
MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)
End If
cnn.Close()
Catch ex As Exception
MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
End Try
无论是数字或不,应该始终有引号,以防止注射。 – 2012-07-20 17:21:06
报价不会做任何事情来防止注射。正确的转义/消毒/参数化可以做到这一点。如果您可以注射数据,您可以轻松注入一个报价。 – 2012-07-20 17:33:22