SQL 更新查询中的语法错误

Question

我正在尝试更新 MSAccess 中的表，其字段的数据类型为“文本”。但是当我运行代码时，它在 UPDATE 语句中显示 sysntax 错误。这是我的vb代码：

将用户变暗为字符串 暗淡密码为字符串 将 dtT 调暗为新数据表

    Dim cmd As New OleDb.OleDbCommand

    user = Me.TextBox1.Text
    password = Me.TextBox2.Text


    If Not cnn.State = ConnectionState.Open Then

        cnn.Open()
    End If
    Try
        Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

        ' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight)

        daA.Fill(dtT)
        Me.DG1.DataSource = dtT


        'password = DG1.Item(0, 0).Value
        'ss1 = DG1.Item(1, 0).Value

        If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then


            cmd.Connection = cnn
            cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
            System.Console.WriteLine(cmd.CommandText)

            Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)

            If result = DialogResult.Yes Then
                cmd.ExecuteNonQuery()
                MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
                Panel1.Hide()
            End If


        Else
            MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)

        End If
        cnn.Close()

    Catch ex As Exception
        MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
    End Try

Answer 1

切勿使用字符串连接来创建 SQL 命令。始终使用 PARAMETERS
这将解决两个问题： 字符串中的单引号，但最重要的是，避免使用SQL Injection Attacks

Dim cmd As New OleDb.OleDbCommand 
user = Me.TextBox1.Text 
password = Me.TextBox2.Text 

If Not cnn.State = ConnectionState.Open Then 
    cnn.Open() 
End If 

Try 
    Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE `password` =?", cnn) 
    daA.SelectCommand.Parameters.AddWithValue("@pass", password);
    daA.Fill(dtT) 
    Me.DG1.DataSource = dtT 


    If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then 
        cmd.Connection = cnn 
        cmd.CommandText = "UPDATE adlogin SET `password` = ? WHERE `user` = ?" 
        Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo) 
        If result = DialogResult.Yes Then 
            cmd.Parameters.AddWithValue("@pass", Me.TextBox3.Text)
            cmd.Parameters.AddWithValue("@user", user)
            cmd.ExecuteNonQuery() 
            MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight) 
            Panel1.Hide() 
        End If 
    Else 
        MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical) 
    End If 
    cnn.Close() 
Catch ex As Exception 
    MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical) 
End Try 

Answer 2

几件事：

SELECT *FROM adlogin etc...
        ^---no space

UPDATE adlogin [..snip...] WHERE user =" & Me.TextBox1.Text
                                       ^---- is "user" a numeric field? needs quotes if not.

Answer 3

你需要在这一行的 * 后面加一个空格：

Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

到

Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

您还需要将变量放在 '

之间

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text

到

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user ='" & Me.TextBox1.Text & "'"