问题
I have a small program that connects to an access database, and what I am trying to do is update(edit) a selected record via an edit form. When I execute my code, I get this error:
System.Data.OleDb.OleDbException was unhandled
Message=Syntax error (missing operator) in query expression '5346 S. Eubank blvd'.
Source=Microsoft Access Database Engine
ErrorCode=-2147217900
Needless to say, it is for the Address field..
Here is my code block:
private void saveChangeBtn_Click(object sender, EventArgs e)
{
Customer.SetCustID(Convert.ToInt32(editIdTB.Text));
Customer.SetFirstName(editFirstNameTB.Text);
Customer.SetLastName(editFirstNameTB.Text);
Customer.SetAddress(editAddressTB.Text);
Customer.SetPhoneNum(editPhoneTB.Text);
Customer.SetEmail(editEmailTB.Text);
using (OleDbConnection connect = new OleDbConnection(connectionString))
{
OleDbCommand cmd = new OleDbCommand();
connect.Open();
cmd.Connection = connect;
cmd.CommandText = "UPDATE Customers SET [Customer ID]=" + Customer.GetCustId() +
", [First Name]=" + Customer.GetFirstName() +
", [Last Name]=" + Customer.GetLastName() +
", [Address]=" + Customer.GetAddress() +
", [Phone Number]=" + Customer.GetPhoneNum() +
", [Email Address]=" + Customer.GetEmailAddress() +
", WHERE [Customer ID]=" + editIdTB.Text + "";
cmd.ExecuteNonQuery();
connect.Close();
MessageBox.Show("Changes made successfully!", "Success!", MessageBoxButtons.OK);
}
this.Close();
}
回答1:
Try this
cmd.CommandText = "UPDATE Customers SET [First Name]='" + Customer.GetFirstName() +
"', [Last Name]='" + Customer.GetLastName() +
"', [Address]='" + Customer.GetAddress() +
"', [Phone Number]='" + Customer.GetPhoneNum() +
"', [Email Address]='" + Customer.GetEmailAddress() +
"' WHERE [Customer ID]=" + editIdTB.Text;
回答2:
I think the problem you have is the comma before WHERE. Try remove that and give it a try.
It would be easier to diagnostics if you can capture the exact sql your executing, and try to run it in a query browser.
Also, I recommend you to use string.format when you are constructing the sql. For a better solution, try LINQ to SQL or Entity Framework.
回答3:
you need to put quotes around the values. that should solve the main problem here.
however, you have a pretty enormous security flaw here. google "sql injection" and you'll see that a bad guy can seriously ruin your week by putting malicious text into the editIfTB textbox
回答4:
Apart from security vulnernability, constructing queries this way will still have a stability problem. As soon as one of your data fields includes an apostrophe, the SQL will break again (e.g. surname O'Neill). Best practice is to supply all data values via parameters; it avoids the need to concatenate in all those single-quotes/apostrophes, won't be sensitive to data values, and won't have a security vulnerability.
来源:https://stackoverflow.com/questions/13898551/i-am-getting-an-error-when-i-try-to-update-records-in-my-access-database