问题
Here is my button command for save. need help in getting this to work, will be getting this to defend for tomorrow school project. Thanks! Its for Datagridview, access, c#. I use 2010VS and MS Access 2007.
private void save_Click(object sender, EventArgs e)
{
if (adminyes.Checked == true || adminno.Checked == true && textBox1.Text != null && textBox2.Text != null && textBox3.Text != null)
{
admin = "Yes";
if (mode == "a")
{
x = 0;
connect.Close();
connect.ConnectionString = inventorydb;
connect.Open();
sqlcommand.CommandText = "SELECT * FROM Users WHERE Username ='" +textBox2.Text+ "' Or User_ID ='" +textBox1.Text+ "' ";
sqlcommand.Connection = connect;
OleDbDataReader reader = sqlcommand.ExecuteReader();
while (reader.Read())
{
x++;
}
if (x != 0)
{
MessageBox.Show("", "",MessageBoxButtons.OK);
}
else
{
DialogResult res = MessageBox.Show("Are you sure?", "Save User", MessageBoxButtons.YesNo, MessageBoxIcon.Warning);
if (DialogResult.Yes == res)
{
connect.Close();
connect.ConnectionString = inventorydb;
connect.Open();
sqlcommand.CommandText = "INSERT INTO Users (User_ID, Username, Password, Admin) VALUES ('" + textBox1.Text + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + admin + "') ";
sqlcommand.Connection = connect;
reader = sqlcommand.ExecuteReader();
MessageBox.Show("Record(s) Saved", "Sample");
}
reset();
}
}
else if (mode == "e")
{
DialogResult res = MessageBox.Show("Are you sure?", "Update User", MessageBoxButtons.YesNo, MessageBoxIcon.Warning);
if (DialogResult.Yes == res)
{
connect.Close();
connect.ConnectionString = inventorydb;
connect.Open();
sqlcommand.CommandText = "UPDATE Users SET User_ID = '" + textBox1.Text + "', Username = '" + textBox2.Text + "', Password = '" + textBox3.Text + "',Admin = '" + admin + "' WHERE SerialID = '" + idholder + "' ";
sqlcommand.Connection = connect;
OleDbDataReader reader = sqlcommand.ExecuteReader();
reader.Read();
MessageBox.Show("Record(s) Updated", "Sample");
}
reset();
}
}
else
{
MessageBox.Show("", "", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
回答1:
Password is a reserved word in Access. Change it to [Password] in your SQL queries. You should wrap all columns and tables like this.
Although this is just a school project I'll mention a few things:
Your code is vulnerable to SQL injection. Here's how to fix this for your insert method as an example:
sqlcommand.CommandText = "INSERT INTO [Users] ([User_ID], [Username], [Password], [Admin]) VALUES (@user_id, @username, @password, @admin)";
sqlcommand.Connection = connect;
sqlcommand.Parameters.AddWithValue("@user_id", textBox1.Text);
sqlcommand.Parameters.AddWithValue("@username", textBox2.Text);
sqlcommand.Parameters.AddWithValue("@password", textBox3.Text);
sqlcommand.Parameters.AddWithValue("@admin", admin);
reader = sqlcommand.ExecuteReader();
Also passwords shouldn't be stored in plain text. Look into password hashing and salting and how to approach it properly for more information.
来源:https://stackoverflow.com/questions/39688685/insert-and-update-syntax-error-on-database-datagrid