syntax error missing operator in query expression c# using access as database

Question

I'm getting syntax error in all my inputs into the textboxes.

In my database all the requirement is string other than the ID which is an autonumber, I try to search for possible answer but all didn't work or maybe I just missed some answer

Here is the error:

Syntax error (missing operator) in query expression ''hasdasd'password = 'h'account_Type='Manager'Name='h'Middle_Name='h'Surname'h'address'h'BirthDate='3/17/1999'Mobile_Number'65465''.

Code:

private void update_Click(object sender, EventArgs e)
{
    DateTime bdate = DateTime.Parse(birthdate.Value.ToShortDateString());
    DateTime currentDate = DateTime.Parse(DateTime.Now.Date.ToShortDateString());

    int age = currentDate.Year - bdate.Year;
    String id = emp_view.SelectedRows[0].Cells[0].Value + String.Empty;
    int id1 = Int32.Parse(id);

    try
    {
        OleDbConnection con = new OleDbConnection();
        con.ConnectionString = @"Provider = Microsoft.ACE.OLEDB.12.0; Data Source = C:\dbms\jollibee.accdb";
        con.Open();

        OleDbCommand cmd = new OleDbCommand();
        cmd.Connection = con;
        cmd.CommandText = "update Employee_Details set username = '" + username.Text +
                                                            "'password = '" + password.Text +
                                                            "'account_Type='" + accountType.Text +
                                                            "'Name='" + name.Text +
                                                            "'Middle_Name='" + middlename.Text +
                                                            "'Surname'" + surname.Text +
                                                            "'address'" + address.Text +
                                                            "'BirthDate='" + birthdate.Value.ToShortDateString() +
                                                            "'Mobile_Number'" + mobilenumber.Text +
                                                            "'where ID = '" + id1 + "'";

        if (username.Text.Equals("") ||
            username.Text.Equals("") ||
            password.Text.Equals("") ||
            middlename.Text.Equals("") ||
            surname.Text.Equals("") ||
            address.Text.Equals("") ||
            accountType.Text.Equals("") ||
            mobilenumber.Text.Equals("")
           )
        {
            MessageBox.Show("Please fill all fields.");
            con.Close();
        }
        else if (age < 18)
        {
            MessageBox.Show("You are not allowed to work because you are under age..");
            con.Close();
        }
        else
        {
            cmd.ExecuteNonQuery();
            con.Close();
            MessageBox.Show(username.Text + "is now updated on database.");
            list();
        }
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message);
    }
}

Answer 1

In your existing code, there are issues like.

1- Column in update are not separated by ","

2- All string are not separated using quotes ''

You should always avoid writing queries inline by concatenation of string. This will make you code vulnerable to SQL Injection .

To read more about SQL Injections check here

Change your code like following using command parameters.

cmd.CommandText = "update Employee_Details set [username] = @un, [password] = @pw, [account_Type]= @at, [Name] = @nm, [Middle_Name]= @mn, [Surname]= @sn, [address]= @add, [BirthDate] = @bd, [Mobile_Number] = @mn WHERE [Id]=@id";
cmd.Parameters.Add("@un", OleDbType.VarChar).Value = username.Text;
cmd.Parameters.Add("@pw", OleDbType.VarChar).Value = password.Text;
cmd.Parameters.Add("@at", OleDbType.VarChar).Value = accountType.Text;
cmd.Parameters.Add("@nm", OleDbType.VarChar).Value = name.Text;
cmd.Parameters.Add("@mn", OleDbType.VarChar).Value = middlename.Text;
cmd.Parameters.Add("@sn", OleDbType.VarChar).Value = surname.Text;
cmd.Parameters.Add("@add", OleDbType.VarChar).Value = address.Text;
cmd.Parameters.Add("@bd", OleDbType.Date).Value = Convert.ToDateTime(birthdate.Value);
cmd.Parameters.Add("@mn", OleDbType.VarChar).Value = mobilenumber.Text;
cmd.Parameters.Add("@id", OleDbType.VarChar).Value = id1;

Note: You need to correct the datatype based on your table structure as it is now known to me.

Answer 2

Your completely malformed SQL should look like:

       cmd.CommandText = "update Employee_Details set " +
                         "username = '" + username.Text + "',"+
                         "[password] = '" + password.Text + "'," +
                         "account_Type = '" + accountType.Text + "'," +
                         "[Name] = '" + name.Text + "'," +
                         "Middle_Name = '" + middlename.Text + "'," +
                         "Surname = '" + surname.Text + "'," +
                         "address = '" + address.Text + "'," +
                         "BirthDate = #" + birthdate.Value.ToString("yyyy'/'MM'/dd") + "#," +
                         "Mobile_Number = '" + mobilenumber.Text + "' " +
                         "where ID = " + id1 + "";

That said, DO use parameters as already explained. Much easier and safer.