0

VB.net 访问更新查询在更新查询错误中给出语法错误。我的查询如下:

query = "UPDATE users SET username='" & newUsername & "', password='" & newPassword & "', department='" & newDepartment & "', display_name='" & newDisplayName & "', email='" & newEmail & "', extension='" & newExtension & "', access_level='" & newAccessLevel & "' WHERE id=" & usrID

以上变量都没有任何符号。我究竟做错了什么?

::更新::

UPDATE users SET username='alison', password='farm1234',department='1',display_name='Alison *****', email='production@**********.com', extension='1012',access_level='50' WHERE id=1

这就是查询的运行方式。

4

2 回答 2

2

The error is caused by the usage of the reserved keyword PASSWORD without enclosing it in square brackets.

Said that, you never use string concatenation to build sql commands, but always a parameterized query to avoid Sql Injection problems but also syntax error in parsing text values (containing single quotes) or decimal values with their decimal separators or dates values.

So, a possible approach to your task could be

query = "UPDATE users SET username=?, [password]=?, department=?, " & _
        "display_name=?, email=?, extension=?, access_level=?" & _
        " WHERE id=?"

Using cmd = new OleDbCommand(query, connection)
   cmd.Parameters.AddWithValue("@p1", newUsername)
   cmd.Parameters.AddWithValue("@p2", newPassword)   
   cmd.Parameters.AddWithValue("@p3", newDepartment)   
   cmd.Parameters.AddWithValue("@p4", newDisplayName)
   cmd.Parameters.AddWithValue("@p5", newEmail)
   cmd.Parameters.AddWithValue("@p6", newExtension)
   cmd.Parameters.AddWithValue("@p7", newAccessLevel)   
   cmd.Parameters.AddWithValue("@p8", usrID)
   cmd.ExecuteNonQuery()

End Using

Keep in mind that OleDb doesn't use the parameter names to find the corresponding placeholder in sql command text. Instead it uses a positional progression and thus adding the parameters to the collection should respect the order in which the parameter appears in the sql command text

于 2013-07-29T13:36:42.203 回答
0 
   ConStr()
    Qry="UPDATE users SET username=@uname, [password]=@pass, department=@dept, " & _
            "display_name=@dnam, email=@email, extension=@ext, access_level=@acslvl" & _
            " WHERE id=@id"
    cmd = new oledbcommand(Qry,Conn)
    cmd.Parameters.AddWithValue("@uname",newUsername)
    cmd.Parameters.AddWithValue("@pass",newPassword)
    cmd.Parameters.AddWithValue("@dept",newDepartment)
    cmd.Parameters.AddWithValue("@dnam",newDisplayName)
    cmd.Parameters.AddWithValue("@email",newEmail)
    cmd.Parameters.AddWithValue("@ext",newExtension)
    cmd.Parameters.AddWithValue("@acslvl",newAccessLevel)
    cmd.Parameters.AddWithValue("@id",usrID)
    cmd.ExecuteNonQuery()
于 2013-07-29T15:07:11.450 回答