error with update query

User3490

what is wrong with this query ? i cant find them... i use c# and access database.

command.CommandText = (@"UPDATE Users_Table SET Password= '" + txtNewPassword.Text.ToString() + "' WHERE (Username='" + txtUsername.Text + "' AND Password='" + txtOldPassword.Text + "' )");
command.ExecuteReader();

vanikanc

What is the error message? Or why not throw that sql into a string. And then set the .commandtext as this string? like:: string sqlSelect = "UPDATE Users_Table SET Password= '" + txtNewPassword.Text.ToString() + "' WHERE Username='" + txtUsername.Text + "' AND Password='" + txtOldPassword.Text + "'"); command.CommandText = sqlSelect; Also, I did notice an extra space at the time of closing the sql. txtOldPassword.Text + "' )"); Change to txtOldPassword.Text + "')");

User3490

the error message is :Syntax error in UPDATE statement. can i use sql commands when i use access database???

Dave Kreskowiak

First and foremost, you do NOT use string concatentation to built a query like that. Why? Just Google for "SQL Injection attack" and you'll find out. A big problem with what you've done is what happens if the user types a ' character in their password?? I guarantee that it'll break your code and give you the error that you're talking about. Then you can Google for "C# SQL Parameterized queries" to find out how to do it correcly. This also has the benefit of making your code easier to debug and maintain. Next, why are you calling .ToString() on a string?? The Text property always returns a string, so there's no need to call .ToString() on it! And finally, with an UPDATE statement as yours, you would normally use ExecuteScalar, no ExecuteReader, to launch it.

A guide to posting questions on CodeProject[^]
Dave Kreskowiak

vanikanc

You can use it. But make sure you specify in the connection string, that the database type is access. Can you print out the sql in your c# program, log onto access, and try to run the same update statement in access.

User3490

Now i have prevent my access database from injection?? I have the same error yet. OleDbConnection connect = new OleDbConnection(); connect.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\user\Desktop\Laiki_Trapeza_Questionnaires.accdb;Persist Security Info=False;"; connect.Open(); OleDbCommand command = new OleDbCommand(); command.Connection = connect; string OldPassword = txtOldPassword.Text; string Username = txtUsername.Text; string Password = txtNewPassword.Text; command.CommandText = (@"UPDATE Users_Table SET Password=@Password WHERE (Username=@Username AND Password=@OldPassword )"); command.ExecuteReader(); MessageBox.Show(" Succesfull update password!"); connect.Close();

Dave Kreskowiak

Yeah, you never supplied the values for any of the parameters. Keep reading those links. You might want to pick out stuff that mentions "OldDbParameter".

A guide to posting questions on CodeProject[^]
Dave Kreskowiak

User3490

what did you mean ? these commands must become string OldPassword = txtOldPassword.Text; string Username = txtUsername.Text; string Password = txtNewPassword.Text; like this: command.Parameters.AddWithValue(@"OldPassword", txtOldPassword); command.Parameters.AddWithValue(@"NewPassword", txtNewPassword); command.Parameters.AddWithValue(@"Username", txtUsername); ???? sorry but i don't understand what you mean with Keep reading those links. You might want to pick out stuff that mentions "OldDbParameter".

susanna floora

string sqlSelect = string.format("UPDATE Users_Table SET Password= '{0}' WHERE Username='{1}' AND Password='{2}'",txtNewPassword.Text.ToString(),txtUsername.Text,txtOldPassword.Text); command.CommandText = sqlSelect; you can also try like this.