Share via

How to solve “Syntax Error in UPDATE Statement” Error?

Mehmet Semih RÜZGAR 1 Reputation point
2021-07-07T12:41:55.933+00:00 
 baglanti.Open();

OleDbCommand guncellekomutu1 = new OleDbCommand("update Malzemeler set ComponentNo='" + TxtParcaNumarasi.Text + "',Producer='" + TxtUretici.Text + "',ShelfNo='" + TxtRafNo.Text + "',BoxNo='" + TxtKutuNumarasi.Text + "',Piece='" + TxtAdet.Text + "',ProductName='" + TxtMalzemeAdi.Text + "',SerialNo='" + TxtSeriNo.Text + "',TAINo='" + TxtTAINo.Text + "',Barcode='" + TxtBarkod.Text + "',Depositary='" + TxtZimmet.Text + "',UploadDate='" + dateTimePicker1.Text + "',LastUpdateDate='" + dateTimePicker2.Text + "',LastUpdatedPerson='" + label12.Text + "',Note='" + txtnot.Text + "' where IDNo=@IDNo", baglanti);

guncellekomutu1.Parameters.Add("@IDNo", OleDbType.Integer).Value = label26.Text;
guncellekomutu1.ExecuteNonQuery();
baglanti.Close();
MessageBox.Show("Material Updated!", "TUSAS SEL Warehouse Tracking Program", MessageBoxButtons.OK, MessageBoxIcon.Information);
Microsoft 365 and Office Access Development

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Taylor 60,161 Reputation points
    2021-07-07T13:17:48.993+00:00

    Your code is a prime example of a SQL injection attack and is strongly, strongly not recommended. You should never, under any circumstances, use string concatenation to build up a database command. It is trivial to make your code do dangerous things like wipe your entire database. This is your first problem.

    The fix to this issue is to use parameters. You are already using parameters for the where clause. Do that same thing for all user input fields. Once you've made that conversion then I think the problem with your query will become very clear.

    OleDbCommand guncellekomutu1 = new OleDbCommand("update Malzemeler" + 
                                                                                                 " set ComponentNo=@numaras, Producer= @uretici, Note=@note" +
                                                                                                 " where IDNo=@IDNo", baglanti);

guncellekomutu1.Parameters.Add("@IDNo", OleDbType.Integer).Value = label26.Text;
guncellekomutu1.Parameters.Add("@numaras", OleDbType.VarChar, 80).Value = TxtParcaNumarasi.Text;
...
guncellekomutu1.ExecuteNonQuery();
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.