1. 首頁
  2. 問答
  3. 語法錯誤在查詢

語法錯誤在查詢

2013-11-15 104 views
0

我試圖運行下面的代碼:語法錯誤在查詢

private void btnUpdate_Click(object sender, EventArgs e) 
{ 
    if (txtNewPassword.Text.Length > 4 && txtNewPassword.Text.Equals(txtConfirmPassword.Text)) 
    { 
     try 
     { 
      OleDbConnection connection = new OleDbConnection(MDFConfiguration.getConnectionString()); 
      connection.Open(); 

      int updatedRecordCount = updateExistingUserRecord(connection); 

      if (updatedRecordCount > 0) 
      { 
       MessageBox.Show("Password Changed Successfully"); 
      } 
      else 
      { 
       MessageBox.Show("There was some error during updated"); 
      } 

      connection.Close(); 

     } 
     catch (Exception ex) 
     { 
      Console.WriteLine(ex.ToString()); 
      MessageBox.Show("exception: " + ex.ToString()); 
     } 
    } 
    else 
    { 
     MessageBox.Show("New Password does not match required criteria"); 
    } 
} 

private int updateExistingUserRecord(OleDbConnection connection) 
{ 
    string sql = "UPDATE " + MDFConfiguration.LOGIN_INFO_TABLE + " SET " + 
     " password = '" + MDFUtils.CreateMD5Hash(txtNewPassword.Text) + "' WHERE " + 
     " login_name = '" + cmbLoginNames.SelectedItem.ToString() + "'"; 

    Console.WriteLine("sql = " + sql); 

    OleDbCommand command = new OleDbCommand(sql, connection); 
    return command.ExecuteNonQuery(); 
}

當我運行這段代碼它給我的查詢語法錯誤在運行,但是當我運行同樣的查詢由Console.WriteLine在上面的代碼中直接在MS Acess中打印,它運行時沒有任何錯誤。

以下查詢Console.WriteLine打印:

UPDATE MDF_LOGIN_INFO SET password = 'E206A54E97690CCE50CC872DD70EE896' WHERE login_name = 'admin'

異常日誌:

A first chance exception of type 'System.Data.OleDb.OleDbException' occurred in System.Data.dll 
System.Data.OleDb.OleDbException (0x80040E14): Syntax error in UPDATE statement. 
    at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) 
    at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) 
    at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) 
    at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) 
    at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) 
    at System.Data.OleDb.OleDbCommand.ExecuteNonQuery() 
    at MDFData.AdminToolForm.updateExistingUserRecord(OleDbConnection connection) in c:\Users\UBAID ULLAH\Documents\Visual Studio 2012\Projects\Backup MDFData\MDFData\AdminToolForm.cs:line 114 
    at MDFData.AdminToolForm.btnUpdate_Click(Object sender, EventArgs e) in c:\Users\UBAID ULLAH\Documents\Visual Studio 2012\Projects\Backup MDFData\MDFData\AdminToolForm.cs:line 79

有什麼建議?

來源

2013-11-15 gmuhammad

+1

你真的需要考慮使用SQL參數。你的代碼,尤其是考慮到密碼哈希,是令人難以置信的不安全。 – Arran

+1

'password'和'login_name'是否都是字符串?你有沒有嘗試用方括號包裝列名,因爲它們與保留名稱相沖突? – James

+1

嘗試在列名稱周圍添加括號。 '[password]'和'[login_name]' –

回答

1

總結列名在方括號 - 沒準passwordlogin_name被保留,並導致與您的更新語句衝突即

UPDATE MDF_LOGIN_INFO 
SET [password] = 'E206A54E97690CCE50CC872DD70EE896' 
WHERE [login_name] = 'admin'

我也建議你看看在你的查詢中使用SQL Parameters代替原料SQL,因爲在當前時間開放至SQL Injection

來源

2013-11-15 15:31:09 James

相關問題

 相關問題