1. 首页
  2. 问答
  3. SQL更新查询中的语法错误

SQL更新查询中的语法错误

2012-07-20 38 views
0

我在尝试更新MSAccess中其字段中的数据类型为“文本”的表。但是当我运行代码时,它会在UPDATE语句中显示sysntax错误。这里是我的VB代码:SQL更新查询中的语法错误

昏暗的用户作为字符串 昏暗的密码作为字符串 昏暗DTT作为新的DataTable

Dim cmd As New OleDb.OleDbCommand 

    user = Me.TextBox1.Text 
    password = Me.TextBox2.Text 


    If Not cnn.State = ConnectionState.Open Then 

     cnn.Open() 
    End If 
    Try 
     Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn) 

     ' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight) 

     daA.Fill(dtT) 
     Me.DG1.DataSource = dtT 


     'password = DG1.Item(0, 0).Value 
     'ss1 = DG1.Item(1, 0).Value 

     If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then 


      cmd.Connection = cnn 
      cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text 
      System.Console.WriteLine(cmd.CommandText) 

      Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo) 

      If result = DialogResult.Yes Then 
       cmd.ExecuteNonQuery() 
       MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight) 
       Panel1.Hide() 
      End If 


     Else 
      MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical) 

     End If 
     cnn.Close() 

    Catch ex As Exception 
     MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical) 
    End Try

来源

2012-07-20 user1541377

回答

0

你需要把一个空格后的*在这条线:

Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

你也需要把几件事情之间的“

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user ='" & Me.TextBox1.Text & "'"

来源

2012-07-20 17:12:11

0

您的变量:

SELECT *FROM adlogin etc... 
     ^---no space 

UPDATE adlogin [..snip...] WHERE user =" & Me.TextBox1.Text 
             ^---- is "user" a numeric field? needs quotes if not.

来源

2012-07-20 17:12:34

+0

无论是数字或不,应该始终有引号,以防止注射。 – 2012-07-20 17:21:06

+1

报价不会做任何事情来防止注射。正确的转义/消毒/参数化可以做到这一点。如果您可以注射数据,您可以轻松注入一个报价。 – 2012-07-20 17:33:22

2

切勿使用字符串连接创建的SQL命令。总是使用PARAMETERS
这将解决两个问题:你的字符串里面 单引号,但是,最重要的事情,避免SQL Injection Attacks

Dim cmd As New OleDb.OleDbCommand 
user = Me.TextBox1.Text 
password = Me.TextBox2.Text 

If Not cnn.State = ConnectionState.Open Then 
    cnn.Open() 
End If 

Try 
    Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE `password` =?", cnn) 
    daA.SelectCommand.Parameters.AddWithValue("@pass", password); 
    daA.Fill(dtT) 
    Me.DG1.DataSource = dtT 


    If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then 
     cmd.Connection = cnn 
     cmd.CommandText = "UPDATE adlogin SET `password` = ? WHERE `user` = ?" 
     Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo) 
     If result = DialogResult.Yes Then 
      cmd.Parameters.AddWithValue("@pass", Me.TextBox3.Text) 
      cmd.Parameters.AddWithValue("@user", user) 
      cmd.ExecuteNonQuery() 
      MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight) 
      Panel1.Hide() 
     End If 
    Else 
     MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical) 
    End If 
    cnn.Close() 
Catch ex As Exception 
    MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical) 
End Try

来源

2012-07-20 18:12:33 Steve

相关问题

 相关问题