使用Access作为数据库的查询表达式C＃中缺少语法错误运算符

Question

I'm getting syntax error in all my inputs into the textboxes. 我在文本框中输入的所有内容都出现语法错误。

In my database all the requirement is string other than the ID which is an autonumber, I try to search for possible answer but all didn't work or maybe I just missed some answer 在我的数据库中，所有要求都是字符串，而不是ID（它是一个自动编号），我尝试搜索可能的答案，但都没有用，或者我只是错过了一些答案

Here is the error: 这是错误：

Syntax error (missing operator) in query expression ''hasdasd'password = 'h'account_Type='Manager'Name='h'Middle_Name='h'Surname'h'address'h'BirthDate='3/17/1999'Mobile_Number'65465''. 查询表达式``hasdasd'password ='h'account_Type ='Manager'Name ='h'Middle_Name ='h'Surname'h'address'h'BirthDate ='3/17/1999'中的语法错误（缺少运算符） Mobile_Number'65465'。

Code: 码：

private void update_Click(object sender, EventArgs e)
{
    DateTime bdate = DateTime.Parse(birthdate.Value.ToShortDateString());
    DateTime currentDate = DateTime.Parse(DateTime.Now.Date.ToShortDateString());

    int age = currentDate.Year - bdate.Year;
    String id = emp_view.SelectedRows[0].Cells[0].Value + String.Empty;
    int id1 = Int32.Parse(id);

    try
    {
        OleDbConnection con = new OleDbConnection();
        con.ConnectionString = @"Provider = Microsoft.ACE.OLEDB.12.0; Data Source = C:\dbms\jollibee.accdb";
        con.Open();

        OleDbCommand cmd = new OleDbCommand();
        cmd.Connection = con;
        cmd.CommandText = "update Employee_Details set username = '" + username.Text +
                                                            "'password = '" + password.Text +
                                                            "'account_Type='" + accountType.Text +
                                                            "'Name='" + name.Text +
                                                            "'Middle_Name='" + middlename.Text +
                                                            "'Surname'" + surname.Text +
                                                            "'address'" + address.Text +
                                                            "'BirthDate='" + birthdate.Value.ToShortDateString() +
                                                            "'Mobile_Number'" + mobilenumber.Text +
                                                            "'where ID = '" + id1 + "'";

        if (username.Text.Equals("") ||
            username.Text.Equals("") ||
            password.Text.Equals("") ||
            middlename.Text.Equals("") ||
            surname.Text.Equals("") ||
            address.Text.Equals("") ||
            accountType.Text.Equals("") ||
            mobilenumber.Text.Equals("")
           )
        {
            MessageBox.Show("Please fill all fields.");
            con.Close();
        }
        else if (age < 18)
        {
            MessageBox.Show("You are not allowed to work because you are under age..");
            con.Close();
        }
        else
        {
            cmd.ExecuteNonQuery();
            con.Close();
            MessageBox.Show(username.Text + "is now updated on database.");
            list();
        }
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message);
    }
}

Answer 1

In your existing code, there are issues like. 在您现有的代码中，存在类似的问题。

1- Column in update are not separated by "," 1-更新中的列不以“，”分隔

2- All string are not separated using quotes '' 2-所有字符串都不用引号引起来''

You should always avoid writing queries inline by concatenation of string. 您应始终避免通过字符串串联来内联编写查询。 This will make you code vulnerable to SQL Injection . 这将使您的代码容易受到SQL注入的攻击。

To read more about SQL Injections check here 要了解有关SQL注入的更多信息，请点击此处

Change your code like following using command parameters. 像使用命令参数一样更改代码。

cmd.CommandText = "update Employee_Details set [username] = @un, [password] = @pw, [account_Type]= @at, [Name] = @nm, [Middle_Name]= @mn, [Surname]= @sn, [address]= @add, [BirthDate] = @bd, [Mobile_Number] = @mn WHERE [Id]=@id";
cmd.Parameters.Add("@un", OleDbType.VarChar).Value = username.Text;
cmd.Parameters.Add("@pw", OleDbType.VarChar).Value = password.Text;
cmd.Parameters.Add("@at", OleDbType.VarChar).Value = accountType.Text;
cmd.Parameters.Add("@nm", OleDbType.VarChar).Value = name.Text;
cmd.Parameters.Add("@mn", OleDbType.VarChar).Value = middlename.Text;
cmd.Parameters.Add("@sn", OleDbType.VarChar).Value = surname.Text;
cmd.Parameters.Add("@add", OleDbType.VarChar).Value = address.Text;
cmd.Parameters.Add("@bd", OleDbType.Date).Value = Convert.ToDateTime(birthdate.Value);
cmd.Parameters.Add("@mn", OleDbType.VarChar).Value = mobilenumber.Text;
cmd.Parameters.Add("@id", OleDbType.VarChar).Value = id1;

Note: You need to correct the datatype based on your table structure as it is now known to me. 注意：您需要根据表结构来更正数据类型，因为我现在知道它。

Answer 2

Your completely malformed SQL should look like: 您的格式完全错误的 SQL应该如下所示：

       cmd.CommandText = "update Employee_Details set " +
                         "username = '" + username.Text + "',"+
                         "[password] = '" + password.Text + "'," +
                         "account_Type = '" + accountType.Text + "'," +
                         "[Name] = '" + name.Text + "'," +
                         "Middle_Name = '" + middlename.Text + "'," +
                         "Surname = '" + surname.Text + "'," +
                         "address = '" + address.Text + "'," +
                         "BirthDate = #" + birthdate.Value.ToString("yyyy'/'MM'/dd") + "#," +
                         "Mobile_Number = '" + mobilenumber.Text + "' " +
                         "where ID = " + id1 + "";

That said, DO use parameters as already explained. 也就是说，请使用已说明的参数。 Much easier and safer. 更轻松，更安全。

使用Access作为数据库的查询表达式C＃中缺少语法错误运算符

问题描述

2 个解决方案

解决方案1
1 已采纳 2018-04-15 08:43:27

解决方案2
0 2018-04-15 09:44:45

使用Access作为数据库的查询表达式C＃中缺少语法错误运算符

问题描述

2 个解决方案

解决方案1 1 已采纳 2018-04-15 08:43:27

解决方案2 0 2018-04-15 09:44:45

解决方案1
1 已采纳 2018-04-15 08:43:27

解决方案2
0 2018-04-15 09:44:45