我正在尝试运行以下代码:
private void btnUpdate_Click(object sender, EventArgs e)
{
if (txtNewPassword.Text.Length > 4 && txtNewPassword.Text.Equals(txtConfirmPassword.Text))
{
try
{
OleDbConnection connection = new OleDbConnection(MDFConfiguration.getConnectionString());
connection.Open();
int updatedRecordCount = updateExistingUserRecord(connection);
if (updatedRecordCount > 0)
{
MessageBox.Show("Password Changed Successfully");
}
else
{
MessageBox.Show("There was some error during updated");
}
connection.Close();
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
MessageBox.Show("exception: " + ex.ToString());
}
}
else
{
MessageBox.Show("New Password does not match required criteria");
}
}
private int updateExistingUserRecord(OleDbConnection connection)
{
string sql = "UPDATE " + MDFConfiguration.LOGIN_INFO_TABLE + " SET " +
" password = '" + MDFUtils.CreateMD5Hash(txtNewPassword.Text) + "' WHERE " +
" login_name = '" + cmbLoginNames.SelectedItem.ToString() + "'";
Console.WriteLine("sql = " + sql);
OleDbCommand command = new OleDbCommand(sql, connection);
return command.ExecuteNonQuery();
}
当我运行此代码时,它在运行时给出了查询中的语法错误,但是当我直接在MS Acess中运行上面代码段中由Console.WriteLine打印的相同查询时,它运行时没有任何错误。
Console.WriteLine打印以下查询:
UPDATE MDF_LOGIN_INFO SET password = 'E206A54E97690CCE50CC872DD70EE896' WHERE login_name = 'admin'
异常日志:
A first chance exception of type 'System.Data.OleDb.OleDbException' occurred in System.Data.dll
System.Data.OleDb.OleDbException (0x80040E14): Syntax error in UPDATE statement.
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at MDFData.AdminToolForm.updateExistingUserRecord(OleDbConnection connection) in c:\Users\UBAID ULLAH\Documents\Visual Studio 2012\Projects\Backup MDFData\MDFData\AdminToolForm.cs:line 114
at MDFData.AdminToolForm.btnUpdate_Click(Object sender, EventArgs e) in c:\Users\UBAID ULLAH\Documents\Visual Studio 2012\Projects\Backup MDFData\MDFData\AdminToolForm.cs:line 79
任何建议?
答案 0 :(得分:1)
将列名包装在方括号中 - 可能保留password或login_name并导致与更新语句冲突,即
UPDATE MDF_LOGIN_INFO
SET [password] = 'E206A54E97690CCE50CC872DD70EE896'
WHERE [login_name] = 'admin'
我还建议你在查询中使用SQL Parameters而不是原始SQL,因为在你SQL Injection开放的那一刻。