I am getting an error when I try to update records in my access database

自作多情 提交于 2020-01-05 04:41:17

问题


I have a small program that connects to an access database, and what I am trying to do is update(edit) a selected record via an edit form. When I execute my code, I get this error:

System.Data.OleDb.OleDbException was unhandled
  Message=Syntax error (missing operator) in query expression '5346 S. Eubank blvd'.
  Source=Microsoft Access Database Engine
  ErrorCode=-2147217900

Needless to say, it is for the Address field..

Here is my code block:

private void saveChangeBtn_Click(object sender, EventArgs e)
{
    Customer.SetCustID(Convert.ToInt32(editIdTB.Text));
    Customer.SetFirstName(editFirstNameTB.Text);
    Customer.SetLastName(editFirstNameTB.Text);
    Customer.SetAddress(editAddressTB.Text);
    Customer.SetPhoneNum(editPhoneTB.Text);
    Customer.SetEmail(editEmailTB.Text);

    using (OleDbConnection connect = new OleDbConnection(connectionString))
    {
        OleDbCommand cmd = new OleDbCommand();
        connect.Open();

        cmd.Connection = connect;
        cmd.CommandText = "UPDATE Customers SET [Customer ID]=" + Customer.GetCustId() +
            ", [First Name]=" + Customer.GetFirstName() +
            ", [Last Name]=" + Customer.GetLastName() +
            ", [Address]=" + Customer.GetAddress() +
            ", [Phone Number]=" + Customer.GetPhoneNum() +
            ", [Email Address]=" + Customer.GetEmailAddress() + 
            ", WHERE [Customer ID]=" + editIdTB.Text + "";
        cmd.ExecuteNonQuery();
        connect.Close();
        MessageBox.Show("Changes made successfully!", "Success!", MessageBoxButtons.OK);
    }
    this.Close();
}

回答1:


Try this

cmd.CommandText = "UPDATE Customers SET [First Name]='" + Customer.GetFirstName() +
            "', [Last Name]='" + Customer.GetLastName() +
            "', [Address]='" + Customer.GetAddress() +
            "', [Phone Number]='" + Customer.GetPhoneNum() +
            "', [Email Address]='" + Customer.GetEmailAddress() + 
            "' WHERE [Customer ID]=" + editIdTB.Text;



回答2:


I think the problem you have is the comma before WHERE. Try remove that and give it a try.

It would be easier to diagnostics if you can capture the exact sql your executing, and try to run it in a query browser.

Also, I recommend you to use string.format when you are constructing the sql. For a better solution, try LINQ to SQL or Entity Framework.




回答3:


you need to put quotes around the values. that should solve the main problem here.

however, you have a pretty enormous security flaw here. google "sql injection" and you'll see that a bad guy can seriously ruin your week by putting malicious text into the editIfTB textbox




回答4:


Apart from security vulnernability, constructing queries this way will still have a stability problem. As soon as one of your data fields includes an apostrophe, the SQL will break again (e.g. surname O'Neill). Best practice is to supply all data values via parameters; it avoids the need to concatenate in all those single-quotes/apostrophes, won't be sensitive to data values, and won't have a security vulnerability.



来源:https://stackoverflow.com/questions/13898551/i-am-getting-an-error-when-i-try-to-update-records-in-my-access-database

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!