SQL更新查询中的语法错误

时间:2012-07-20 17:10:54

标签: mysql vb.net

我正在尝试更新MSAccess中的表,其字段的数据类型为“Text”。但是当我运行代码时,它在UPDATE语句中显示sysntax错误。这是我的vb代码:

Dim user As String         Dim password As String         Dim dtT As New DataTable 

    Dim cmd As New OleDb.OleDbCommand

    user = Me.TextBox1.Text
    password = Me.TextBox2.Text


    If Not cnn.State = ConnectionState.Open Then

        cnn.Open()
    End If
    Try
        Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

        ' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight)

        daA.Fill(dtT)
        Me.DG1.DataSource = dtT


        'password = DG1.Item(0, 0).Value
        'ss1 = DG1.Item(1, 0).Value

        If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then


            cmd.Connection = cnn
            cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
            System.Console.WriteLine(cmd.CommandText)

            Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)

            If result = DialogResult.Yes Then
                cmd.ExecuteNonQuery()
                MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
                Panel1.Hide()
            End If


        Else
            MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)

        End If
        cnn.Close()

    Catch ex As Exception
        MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
    End Try

3 个答案:

答案 0 :(得分:2)

永远不要使用字符串连接来创建SQL命令。始终使用PARAMETERS
这将解决两个问题: 字符串中的单引号,但最重要的是避免使用SQL Injection Attacks 

Dim cmd As New OleDb.OleDbCommand 
user = Me.TextBox1.Text 
password = Me.TextBox2.Text 

If Not cnn.State = ConnectionState.Open Then 
    cnn.Open() 
End If 

Try 
    Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE `password` =?", cnn) 
    daA.SelectCommand.Parameters.AddWithValue("@pass", password);
    daA.Fill(dtT) 
    Me.DG1.DataSource = dtT 


    If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then 
        cmd.Connection = cnn 
        cmd.CommandText = "UPDATE adlogin SET `password` = ? WHERE `user` = ?" 
        Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo) 
        If result = DialogResult.Yes Then 
            cmd.Parameters.AddWithValue("@pass", Me.TextBox3.Text)
            cmd.Parameters.AddWithValue("@user", user)
            cmd.ExecuteNonQuery() 
            MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight) 
            Panel1.Hide() 
        End If 
    Else 
        MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical) 
    End If 
    cnn.Close() 
Catch ex As Exception 
    MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical) 
End Try

答案 1 :(得分:0)

你需要在*这一行后面加一个空格:

Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

您还需要将变量放在'

之间

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user ='" & Me.TextBox1.Text & "'"

答案 2 :(得分:0)

一些事情:

SELECT *FROM adlogin etc...
        ^---no space

UPDATE adlogin [..snip...] WHERE user =" & Me.TextBox1.Text
                                       ^---- is "user" a numeric field? needs quotes if not.
相关问题
最新问题