我的结果是我进入了我的控制台。
更新[客户] SET username ='asd',password ='asd',address ='asddd',referenceno ='12345'WHERE id = 27
当我在MS Access数据库中编写查询时,它运行正常。
我不知道为什么每当我尝试将数据更新到数据库时都会出现此错误。
private void buttonUpdate_Click(object sender, EventArgs e) // user click on button update
{
if (cbTable.Text.Equals("User"))
{
string query = "";
query += "username ='" + textBoxUsername.Text.ToString() + "' ,"; //query
query += "password ='" + textBoxPassword.Text.ToString() + "' ,"; //query
query += "contact ='" + ContactNo.Text.ToString() + "' ,"; //query
query += "ref_no = " + textBoxReferenceno.Text.ToString() + " WHERE id = " + Convert.ToInt32(textBoxId.Text.ToString()); //query
try
{
new controllerclass().updateDatabase("User", query); //update database
Console.WriteLine(query);
Console.WriteLine("Saved");
MessageBox.Show("User profile has been updated.", "Update", MessageBoxButtons.OK, MessageBoxIcon.Information);
loadDatabaseUser();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
}
//After users enter the update button, this function will be used.
public bool updateDatabase(string type, string query) //update database function
{
try
{
OleDbCommand cmd = new OleDbCommand(); //open connection
cmd.CommandType = CommandType.Text;
cmd.CommandText = "UPDATE [" + type + "] SET " + query;
cmd.Connection = conn;
Console.WriteLine("UPDATE [" + type + "] SET " + query);
cmd.ExecuteNonQuery(); //execute command
closeConnection();
return true;
}
catch (Exception e)
{
closeConnection(); // close connection
Console.WriteLine(e.Message); //writeline to console
return false;
}
}
答案 0 :(得分:1)
PASSWORD是Microsoft Access中的保留关键字。你需要用方括号
封装它 query += "[password] ='"
说,让我在这里给予建议。尽快更改此架构,强制您编写字符串连接以构建SQL查询。创建和使用命令文本的唯一方法是通过参数化查询
更好地查看您的查询,USER(表名)也是保留关键字
所以让我展示一种不同的方法
string query = @"username =?, [password] = ?, contact =?
ref_no = ? WHERE id = ?";
List<OleDbParameter> parameters = new List<OleDbParameter>();
parameters.Add(new OleDbParameter()
{ParameterName = "@p1, OleDbType = OleDbType.VarChar,
Value = txtBoxUsername.Text});
parameters.Add(new OleDbParameter()
{ParameterName = "@p2, OleDbType = OleDbType.VarChar,
Value = textBoxPassword.Text});
parameters.Add(new OleDbParameter()
{ParameterName = "@p3, OleDbType = OleDbType.VarChar,
Value = ContactNo.Text});
parameters.Add(new OleDbParameter()
{ParameterName = "@p4, OleDbType = OleDbType.Integer,
Value = Convert.ToInt32(textBoxReferenceno.Text)});
parameters.Add(new OleDbParameter()
{ParameterName = "@p5, OleDbType = OleDbType.Integer,
Value = Convert.ToInt32(textBoxId.Text)});
new controllerclass().updateDatabase("[User]", query, parameters);
....
public bool updateDatabase(string type, string query, List<OleDbParameter>parameters)
{
try
{
OleDbCommand cmd = new OleDbCommand(); //open connection
cmd.CommandType = CommandType.Text;
cmd.CommandText = "UPDATE [" + type + "] SET " + query;
cmd.Connection = conn;
cmd.Parameters.AddRange(parameters.ToArray());
cmd.ExecuteNonQuery(); //execute command
closeConnection();
return true;
}
....
}
我仍然认为_generic_doing_it_all_database_work_for_me方法_不是一个好习惯,因为有太多案例需要涵盖。至少使用参数化查询将有助于避免Sql注入和解析问题