stackoom
  简体   繁体   中英

How to update database records within a user input range?

 原文  2015-11-13 18:47:49       c#/ sql/ sql-update/ ms-access-2010

Question

I am trying to update database records over a range in Access using SQL and C#. Using an UPDATE query keeps giving me an error

Syntax error (missing operator) in query expression

All of the query criteria is from user input. I have tried a number of sources to find an answer but I believe my SQL statement is correct. Below is the method that is performing the task that I need. 

private void btnUpdate_Click(object sender, EventArgs e)
{
        int teamYear = Convert.ToInt32(this.textBoxBegYear.Text);
        int endYear = Convert.ToInt32(this.textBoxEndYear.Text);
        string teamName = this.textBoxTeamName.Text;
        string league = this.textBoxLeague.Text;
        string conference = this.textBoxConf.Text;
        string division = this.textBoxDivision.Text;

        try
        {
            dbConn = new OleDbConnection();
            dbConn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" 
               + ch + openFileDialog1.FileName + ch;
            dbConn.Open();

            sql = "UPDATE " + this.comboBox1.SelectedItem.ToString() 
               + " SET LeagueName = @leagueName, ConferenceName = @conferenceName, 
               DivisionName = @divisionName WHERE TeamName = " + this.textBoxTeamName.Text 
               + " AND TeamYear BETWEEN " + this.textBoxBegYear.Text 
               + " AND " + this.textBoxEndYear.Text;

            dbCmd = new OleDbCommand(sql, dbConn);

            for (int i = teamYear; i <= endYear; i++)
            {
                dbCmd.Parameters.AddWithValue("@leagueName", league);
                dbCmd.Parameters.AddWithValue("@conferenceName", conference);
                dbCmd.Parameters.AddWithValue("@divisionName", division);
                dbCmd.ExecuteNonQuery();
            }
            dbCmd.Connection.Close();
            dbConn.Close();
        }
        catch (Exception err)
        {
            MessageBox.Show("Error: " + err.Message.ToString());
        }
}

The exception comes from the second half of the SQL statement after the WHERE clause asking for a missing operator.

Can anyone happen to see what I may be missing? Any help would be appreciated.

3 answers

solution1
 1  2015-11-13 18:51:53

You might be missing single quotes ' ... 

TeamName = '" + this.textBoxTeamName.Text + "'

Also, I'm assuming this is just a project you're playing around with and nothing that will be available online? Reason I ask is that the SQL query is vulnerable to SQL injection attacks .

solution2
 1  2015-11-13 18:52:38

You need to escape the text from the user input with single quotes. 

WHERE TeamName = '" + this.textBoxTeamName.Text 
               + "' AND TeamYear BETWEEN " + this.textBoxBegYear.Text 
               + " AND " + this.textBoxEndYear.Text;

(Notice the single quotes).

Please do not use the code you posted. Please read up on SQL Injection attacks and why your code is very unsafe and replace it with some properly cleaned input handling.

solution3
 1 ACCPTED  2015-11-13 18:55:41

Why don't you replace the code in the "try" block to this: 

        dbConn = new OleDbConnection();
        dbConn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" 
           + ch + openFileDialog1.FileName + ch;
        dbConn.Open();

        sql = "UPDATE " + this.comboBox1.SelectedItem.ToString() 
           + " SET LeagueName = @leagueName, ConferenceName = @conferenceName, 
           DivisionName = @divisionName WHERE TeamName = @teamName AND TeamYear BETWEEN @begYear AND @endYear";

        dbCmd = new OleDbCommand(sql, dbConn);

        for (int i = teamYear; i <= endYear; i++)
        {
            dbCmd.Parameters.AddWithValue("@leagueName", league);
            dbCmd.Parameters.AddWithValue("@conferenceName", conference);
            dbCmd.Parameters.AddWithValue("@divisionName", division);
            dbCmd.Parameters.AddWithValue("@teamName", this.textBoxTeamName.Text);
            dbCmd.Parameters.AddWithValue("@begYear", int.Parse(this.textBoxBegYear.Text));
            dbCmd.Parameters.AddWithValue("@endYear", int.Parse(this.textBoxBegYear.Text));
            dbCmd.ExecuteNonQuery();
        }
        dbCmd.Connection.Close();
        dbConn.Close();

Therefore, you have better idea what the SQL query looks like, and you parameterize users' input to improve security (prevent any sql injection).

To troubleshoot your issue, you may need to debug into this piece of code and see what's the SQL query is, and try to execute it from your SQL client tool (such as Sql management studio), you will have better idea what goes wrong.

Hope this helps. Henry Liang

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to join logged in user and user records within database? C#: get database records within date range how can I store all of the database records from a username(from registration) but it is based on the user input? How to update database with new & modified records? How to update database records even if the image is not changed How can I update database records? how to update data stored in a sqlite table within c# with a user input How to validate user input with database? How to search User Input within DataTable Column How to insert, update and delete records of a DataGridView to DataBase via BindingNavigator
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM