1. 首頁
  2. 問答
  3. 更新語句C#中的語法錯誤Microsoft Access

更新語句C#中的語法錯誤Microsoft Access

2014-02-16 81 views
1

我在我的控制檯中得到的結果。更新語句C#中的語法錯誤Microsoft Access

UPDATE [客戶]設置用戶名= 'ASD',密碼= '房間隔缺損',地址= 'asddd',referenceno = '12345' WHERE ID = 27

當我寫在我的MS Access數據庫查詢,它工作正常。

我不知道爲什麼每當我嘗試將數據更新到數據庫時都會出現此錯誤。

private void buttonUpdate_Click(object sender, EventArgs e) // user click on button update 
    { 
     if (cbTable.Text.Equals("User")) 
     { 
      string query = ""; 
      query += "username ='" + textBoxUsername.Text.ToString() + "' ,"; //query 
      query += "password ='" + textBoxPassword.Text.ToString() + "' ,"; //query 
      query += "contact ='" + ContactNo.Text.ToString() + "' ,"; //query 
      query += "ref_no = " + textBoxReferenceno.Text.ToString() + " WHERE id = " + Convert.ToInt32(textBoxId.Text.ToString()); //query 
      try 
      { 
       new controllerclass().updateDatabase("User", query); //update database 
       Console.WriteLine(query); 

       Console.WriteLine("Saved"); 
       MessageBox.Show("User profile has been updated.", "Update", MessageBoxButtons.OK, MessageBoxIcon.Information); 
       loadDatabaseUser(); 
      } 
      catch (Exception ex) 
      { 

       Console.WriteLine(ex.Message); 
      } 
     } 
    } 



    //After users enter the update button, this function will be used. 
    public bool updateDatabase(string type, string query) //update database function 
    { 
     try 
     { 
      OleDbCommand cmd = new OleDbCommand(); //open connection 
      cmd.CommandType = CommandType.Text; 
      cmd.CommandText = "UPDATE [" + type + "] SET " + query; 
      cmd.Connection = conn; 
      Console.WriteLine("UPDATE [" + type + "] SET " + query); 
      cmd.ExecuteNonQuery(); //execute command 
      closeConnection(); 
      return true; 
     } 
     catch (Exception e) 
     { 
      closeConnection(); // close connection 
      Console.WriteLine(e.Message); //writeline to console 
      return false; 
     } 
    }

來源

2014-02-16 user3315942

+0

您的代碼易受SQL注入攻擊。考慮使用參數化查詢。 –

回答

1

PASSWORD是Microsoft Access中的保留關鍵字。你需要用方括號封裝它

query += "[password] ='"

說的是,讓我給和建議在這裏。儘快更改此架構,迫使您編寫字符串連接來構建sql查詢。創建和使用一個命令文本的唯一方法是通過參數化查詢

看你的查詢,也USER(表名)更好的是保留關鍵字

所以讓我表現出不同的方法

string query = @"username =?, [password] = ?, contact =? 
       ref_no = ? WHERE id = ?"; 
List<OleDbParameter> parameters = new List<OleDbParameter>(); 
parameters.Add(new OleDbParameter() 
     {ParameterName = "@p1, OleDbType = OleDbType.VarChar, 
     Value = txtBoxUsername.Text}); 
parameters.Add(new OleDbParameter() 
     {ParameterName = "@p2, OleDbType = OleDbType.VarChar, 
     Value = textBoxPassword.Text}); 
parameters.Add(new OleDbParameter() 
     {ParameterName = "@p3, OleDbType = OleDbType.VarChar, 
     Value = ContactNo.Text}); 
parameters.Add(new OleDbParameter() 
     {ParameterName = "@p4, OleDbType = OleDbType.Integer, 
     Value = Convert.ToInt32(textBoxReferenceno.Text)}); 
parameters.Add(new OleDbParameter() 
     {ParameterName = "@p5, OleDbType = OleDbType.Integer, 
     Value = Convert.ToInt32(textBoxId.Text)}); 

new controllerclass().updateDatabase("[User]", query, parameters); 
.... 

public bool updateDatabase(string type, string query, List<OleDbParameter>parameters) 
{ 
    try 
    { 
     OleDbCommand cmd = new OleDbCommand(); //open connection 
     cmd.CommandType = CommandType.Text; 
     cmd.CommandText = "UPDATE [" + type + "] SET " + query; 
     cmd.Connection = conn; 
     cmd.Parameters.AddRange(parameters.ToArray()); 
     cmd.ExecuteNonQuery(); //execute command 
     closeConnection(); 
     return true; 
    } 
    .... 
}

我仍然認爲_generic_doing_it_all_database_work_for_me method_不是一個好的做法,因爲要覆蓋的案例太多。至少使用參數化查詢將有助於避免Sql注入和解析問題

來源

2014-02-16 17:47:48 Steve

0 
OleDbCommand cmd = new OleDbCommand("update income set [email protected],[email protected],[email protected],[email protected],[email protected],[email protected] where id=" + idss, con); 
       cmd.Parameters.AddWithValue("@transtype", combotranincometype.SelectedItem.ToString()); 
       cmd.Parameters.AddWithValue("@amount", Convert.ToInt32(incomeamounttxt.Text)); 
       cmd.Parameters.AddWithValue("@typeofincome", comboincometype.SelectedItem.ToString()); 
       cmd.Parameters.AddWithValue("@date", dateTimePicker1.Value.ToShortDateString()); 
       cmd.Parameters.AddWithValue("@bankname", banknametxt.Text); 
       cmd.Parameters.AddWithValue("@chequenum", chequenumtxt.Text); 
       if (cmd.ExecuteNonQuery() > 0) 
       { 
        MessageBox.Show("success"); 
        incomegrid(); 
        incomeclear(); 

       }**syntax error in update statement**

來源

2015-06-17 05:12:33

相關問題

 相關問題