[英]syntax error missing operator in query expression c# using access as database
我在文本框中输入的所有内容都出现语法错误。
在我的数据库中,所有要求都是字符串,而不是ID(它是一个自动编号),我尝试搜索可能的答案,但都没有用,或者我只是错过了一些答案
这是错误:
查询表达式``hasdasd'password ='h'account_Type ='Manager'Name ='h'Middle_Name ='h'Surname'h'address'h'BirthDate ='3/17/1999'中的语法错误(缺少运算符) Mobile_Number'65465'。
码:
private void update_Click(object sender, EventArgs e)
{
DateTime bdate = DateTime.Parse(birthdate.Value.ToShortDateString());
DateTime currentDate = DateTime.Parse(DateTime.Now.Date.ToShortDateString());
int age = currentDate.Year - bdate.Year;
String id = emp_view.SelectedRows[0].Cells[0].Value + String.Empty;
int id1 = Int32.Parse(id);
try
{
OleDbConnection con = new OleDbConnection();
con.ConnectionString = @"Provider = Microsoft.ACE.OLEDB.12.0; Data Source = C:\dbms\jollibee.accdb";
con.Open();
OleDbCommand cmd = new OleDbCommand();
cmd.Connection = con;
cmd.CommandText = "update Employee_Details set username = '" + username.Text +
"'password = '" + password.Text +
"'account_Type='" + accountType.Text +
"'Name='" + name.Text +
"'Middle_Name='" + middlename.Text +
"'Surname'" + surname.Text +
"'address'" + address.Text +
"'BirthDate='" + birthdate.Value.ToShortDateString() +
"'Mobile_Number'" + mobilenumber.Text +
"'where ID = '" + id1 + "'";
if (username.Text.Equals("") ||
username.Text.Equals("") ||
password.Text.Equals("") ||
middlename.Text.Equals("") ||
surname.Text.Equals("") ||
address.Text.Equals("") ||
accountType.Text.Equals("") ||
mobilenumber.Text.Equals("")
)
{
MessageBox.Show("Please fill all fields.");
con.Close();
}
else if (age < 18)
{
MessageBox.Show("You are not allowed to work because you are under age..");
con.Close();
}
else
{
cmd.ExecuteNonQuery();
con.Close();
MessageBox.Show(username.Text + "is now updated on database.");
list();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
在您现有的代码中,存在类似的问题。
1-更新中的列不以“,”分隔
2-所有字符串都不用引号引起来''
您应始终避免通过字符串串联来内联编写查询。 这将使您的代码容易受到SQL注入的攻击。
要了解有关SQL注入的更多信息,请点击此处
像使用命令参数一样更改代码。
cmd.CommandText = "update Employee_Details set [username] = @un, [password] = @pw, [account_Type]= @at, [Name] = @nm, [Middle_Name]= @mn, [Surname]= @sn, [address]= @add, [BirthDate] = @bd, [Mobile_Number] = @mn WHERE [Id]=@id";
cmd.Parameters.Add("@un", OleDbType.VarChar).Value = username.Text;
cmd.Parameters.Add("@pw", OleDbType.VarChar).Value = password.Text;
cmd.Parameters.Add("@at", OleDbType.VarChar).Value = accountType.Text;
cmd.Parameters.Add("@nm", OleDbType.VarChar).Value = name.Text;
cmd.Parameters.Add("@mn", OleDbType.VarChar).Value = middlename.Text;
cmd.Parameters.Add("@sn", OleDbType.VarChar).Value = surname.Text;
cmd.Parameters.Add("@add", OleDbType.VarChar).Value = address.Text;
cmd.Parameters.Add("@bd", OleDbType.Date).Value = Convert.ToDateTime(birthdate.Value);
cmd.Parameters.Add("@mn", OleDbType.VarChar).Value = mobilenumber.Text;
cmd.Parameters.Add("@id", OleDbType.VarChar).Value = id1;
注意:您需要根据表结构来更正数据类型,因为我现在知道它。
您的格式完全错误的 SQL应该如下所示:
cmd.CommandText = "update Employee_Details set " +
"username = '" + username.Text + "',"+
"[password] = '" + password.Text + "'," +
"account_Type = '" + accountType.Text + "'," +
"[Name] = '" + name.Text + "'," +
"Middle_Name = '" + middlename.Text + "'," +
"Surname = '" + surname.Text + "'," +
"address = '" + address.Text + "'," +
"BirthDate = #" + birthdate.Value.ToString("yyyy'/'MM'/dd") + "#," +
"Mobile_Number = '" + mobilenumber.Text + "' " +
"where ID = " + id1 + "";
也就是说,请使用已说明的参数。 更轻松,更安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.