query
-
hii all m using update query to update the new paassword in my login table on button click. it gives error:"syntax error in upadate statement". the code is:
protected void Button1_Click(object sender, EventArgs e)
{string str = "UPDATE memberlogin SET Password='"+txtnewpassword.Text+"',Confirmpassword='"+txtconfirmpassword.Text+"'WHERE MemberNo='"+txtusername.Text+"' AND Password='"+txtpassword.Text+"'";
OleDbCommand cmd = new OleDbCommand(str,conn);
conn.Open();
cmd.ExecuteNonQuery();
conn.Close();}plz guide wr m i wrong... thanks...
The query looks good, the only possible problem that might took place is when Parameters like txtnewpassword, txtconfirmpassword,txtusername, txtpassword comes with some weird values. Say I write
txtnewpassword.Text = "0'--"This is what we call SQL injection. So use like this.string str = "UPDATE memberlogin SET Password=@newpass, Confirmpassword=@confirm WHERE MemberNo=@member AND Password=@password";
OleDbCommand cmd = new OleDbCommand(str, conn);
SqlParameter confirm = new SqlParameter("@confirm", SqlDbType.NVarchar, 50);
confirm.value = txtnewpassword.Text; // This will remove sql injection
cmd.Parameters.Add(confirm);
.....
...
..... Do this for all other parameters. Hope you got this more clear now. :rose:
Abhishek Sur
My Latest Articles **Create CLR objects in SQL Server 2005 C# Uncommon Keywords Read/Write Excel using OleDB
**Don't forget to click "Good Answer" if you like to.
-
i have given the breakpoint:it shows: str = "UPDATE memberlogin SET Password='0003',Confirmpassword='0003'WHERE MemberNo='0003' AND Password='0003'" as soon as it execute the query givs error...
Oh.. there must be a space just before Where statement .. I guess. :)
Abhishek Sur
My Latest Articles **Create CLR objects in SQL Server 2005 C# Uncommon Keywords Read/Write Excel using OleDB
**Don't forget to click "Good Answer" if you like to.
-
i have given the breakpoint:it shows: str = "UPDATE memberlogin SET Password='0003',Confirmpassword='0003'WHERE MemberNo='0003' AND Password='0003'" as soon as it execute the query givs error...
Hope You Got the Solution as Abi Suggests..!
MyFirstArticlePublished: MenuControlSelectedItem Why Do Some People Forget To Mark as Answer .If It Helps.
-
The query looks good, the only possible problem that might took place is when Parameters like txtnewpassword, txtconfirmpassword,txtusername, txtpassword comes with some weird values. Say I write
txtnewpassword.Text = "0'--"This is what we call SQL injection. So use like this.string str = "UPDATE memberlogin SET Password=@newpass, Confirmpassword=@confirm WHERE MemberNo=@member AND Password=@password";
OleDbCommand cmd = new OleDbCommand(str, conn);
SqlParameter confirm = new SqlParameter("@confirm", SqlDbType.NVarchar, 50);
confirm.value = txtnewpassword.Text; // This will remove sql injection
cmd.Parameters.Add(confirm);
.....
...
..... Do this for all other parameters. Hope you got this more clear now. :rose:
Abhishek Sur
My Latest Articles **Create CLR objects in SQL Server 2005 C# Uncommon Keywords Read/Write Excel using OleDB
**Don't forget to click "Good Answer" if you like to.
-
mylogics wrote:
i tried but prom is same....
What you have tried ? Did you give a space @where section in your code ? If yes then what error is coming now ?
Abhijit Jana | Codeproject MVP Web Site : abhijitjana.net Visit My Latest Article : Beginner's Guide : Exploring IIS 6.0 With ASP.NET
-
LOL SAme Solution..!
MyFirstArticlePublished: MenuControlSelectedItem Why Do Some People Forget To Mark as Answer .If It Helps.
sashidhar wrote:
LOL SAme Solution..!
With Same time :jig:
Abhijit Jana | Codeproject MVP Web Site : abhijitjana.net Visit My Latest Article : Beginner's Guide : Exploring IIS 6.0 With ASP.NET
-
mylogics wrote:
i tried but prom is same....
What you have tried ? Did you give a space @where section in your code ? If yes then what error is coming now ?
Abhijit Jana | Codeproject MVP Web Site : abhijitjana.net Visit My Latest Article : Beginner's Guide : Exploring IIS 6.0 With ASP.NET
-
yaaa i have given space at where as u told but still it gives error: "syntax error at upadate statement". i also tried using sqlinjection but same...
You've tried using sqlinjection? Oh... :wtf:
var question = (_2b || !(_2b));
--
Mr Mackey from South Park said:
And remember children, there are no stupid questions, just stupid people
-
yaaa i have given space at where as u told but still it gives error: "syntax error at upadate statement". i also tried using sqlinjection but same...
UPDATE memberlogin SET Password='0003',Confirmpassword='0003' WHERE MemberNo='0003' AND Password='0003' use this Query and run it in sqlquery window
MyFirstArticlePublished: MenuControlSelectedItem Why Do Some People Forget To Mark as Answer .If It Helps.
-
sashidhar wrote:
LOL SAme Solution..!
With Same time :jig:
Abhijit Jana | Codeproject MVP Web Site : abhijitjana.net Visit My Latest Article : Beginner's Guide : Exploring IIS 6.0 With ASP.NET
There is a one minute gap between the posts anyway. :)
Vasudevan Deepak Kumar Personal Homepage
Tech Gossips
The woods are lovely, dark and deep, But I have promises to keep, And miles to go before I sleep, And miles to go before I sleep!