C# 为什么在这个update语句中出现语法错误?
我想更新m/s access数据库中的一个表,在该表中,用户输入了新密码以替换旧密码,但update语句中出现语法错误。请帮忙C# 为什么在这个update语句中出现语法错误?,c#,ms-access,syntax-error,oledb,update-statement,C#,Ms Access,Syntax Error,Oledb,Update Statement,我想更新m/s access数据库中的一个表,在该表中,用户输入了新密码以替换旧密码,但update语句中出现语法错误。请帮忙 public partial class resetPassword : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } protected void SubmitButton_Click(o
public partial class resetPassword : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void SubmitButton_Click(object sender, EventArgs e)
{
string userName = (string) Session["username"];
string str = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\inetpub\wwwroot\JetStar\database\JetstarDb.accdb";
var con = new OleDbConnection(str);
con.Open();
string pwd = Request.Form["conPassword"];
OleDbCommand cmd = new OleDbCommand("UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'", con);
try
{
cmd.ExecuteNonQuery();
MessageBox.Show("Your password has been changed successfully.");
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
finally
{
con.Close();
}
}
}
这可能是因为
密码[password]OLEDB连接OLEDB命令using(OleDbConnection con = new OleDbConnection(str))
using(OleDbCommand cmd = con.CreateCommand())
{
cmd.CommandText = "UPDATE [users] SET [password] = ? WHERE username = ?";
cmd.Parameters.Add("pass", OleDbType.VarChar).Value = pwd;
cmd.Parameters.Add("user", OleDbType.VarChar).Value = userName;
con.Open();
try
{
cmd.ExecuteNonQuery();
MessageBox.Show("Your password has been changed successfully.");
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
这可能是因为
密码[password]OLEDB连接OLEDB命令using(OleDbConnection con = new OleDbConnection(str))
using(OleDbCommand cmd = con.CreateCommand())
{
cmd.CommandText = "UPDATE [users] SET [password] = ? WHERE username = ?";
cmd.Parameters.Add("pass", OleDbType.VarChar).Value = pwd;
cmd.Parameters.Add("user", OleDbType.VarChar).Value = userName;
con.Open();
try
{
cmd.ExecuteNonQuery();
MessageBox.Show("Your password has been changed successfully.");
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
OleDbCommand cmd = new OleDbCommand("UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'", con);
String s = "UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'";
Console.WriteLine(s);
OleDbCommand cmd = new OleDbCommand(s, con);
Response.Write(ex.Message);
(a) 我刚刚不知从何处得到的一个统计数据——实际值可能大不相同。92.3%(a)如果在使用命令之前打印命令,并阅读错误消息,那么所有DB问题中的一个都会变得明显 因此,请替换:
OleDbCommand cmd = new OleDbCommand("UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'", con);
String s = "UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'";
Console.WriteLine(s);
OleDbCommand cmd = new OleDbCommand(s, con);
Response.Write(ex.Message);
(a) 我刚刚不知从何处收集到的一个统计数据-实际值可能大不相同。首先要解决的问题是:使用参数化SQL,而不是将值直接放入SQL中。第二件要修复的事情:不要将明文密码放入数据库。这两种方法都不可能解决您当前的问题,但鉴于此处缺乏安全性,代码不起作用比它造成安全漏洞要好。此外,发布语法错误消息可能有助于更快地发现错误。正如乔恩Switt已经声明的那样,参数化SQL不太容易出现故障,因此您可能需要考虑使用它。在这个语句中可能存在“字符串STR= @”提供程序=微软.ACE。OELDB 12的问题;数据源=C:\inetpub\wwwroot\JetStar\database\JetstarDb.accdb”;“改用双斜杠将解决此问题。@AmolBavannavar-字符串标记为字符串文字(前面的
@@VarChar.Add()OleDbType.VarCharVarChar.Add()OleDbType.VarChar