0

I'm trying to update a table in MSAccess whose fields have data type of 'Text'. But when I run the code it shows sysntax error in UPDATE statement. Here is my vb code:

Dim user As String Dim password As String Dim dtT As New DataTable

    Dim cmd As New OleDb.OleDbCommand

    user = Me.TextBox1.Text
    password = Me.TextBox2.Text


    If Not cnn.State = ConnectionState.Open Then

        cnn.Open()
    End If
    Try
        Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

        ' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight)

        daA.Fill(dtT)
        Me.DG1.DataSource = dtT


        'password = DG1.Item(0, 0).Value
        'ss1 = DG1.Item(1, 0).Value

        If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then


            cmd.Connection = cnn
            cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
            System.Console.WriteLine(cmd.CommandText)

            Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)

            If result = DialogResult.Yes Then
                cmd.ExecuteNonQuery()
                MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
                Panel1.Hide()
            End If


        Else
            MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)

        End If
        cnn.Close()

    Catch ex As Exception
        MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
    End Try
Improve this question
0

3 Answers 3

Reset to default
2

Never use string concatenation to create SQL commands. Use always PARAMETERS
This will resolve two problems: Single quote inside your strings, but, the most important thing, avoid SQL Injection Attacks

Dim cmd As New OleDb.OleDbCommand 
user = Me.TextBox1.Text 
password = Me.TextBox2.Text 

If Not cnn.State = ConnectionState.Open Then 
    cnn.Open() 
End If 

Try 
    Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE `password` =?", cnn) 
    daA.SelectCommand.Parameters.AddWithValue("@pass", password);
    daA.Fill(dtT) 
    Me.DG1.DataSource = dtT 


    If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then 
        cmd.Connection = cnn 
        cmd.CommandText = "UPDATE adlogin SET `password` = ? WHERE `user` = ?" 
        Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo) 
        If result = DialogResult.Yes Then 
            cmd.Parameters.AddWithValue("@pass", Me.TextBox3.Text)
            cmd.Parameters.AddWithValue("@user", user)
            cmd.ExecuteNonQuery() 
            MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight) 
            Panel1.Hide() 
        End If 
    Else 
        MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical) 
    End If 
    cnn.Close() 
Catch ex As Exception 
    MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical) 
End Try
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

A couple things:

SELECT *FROM adlogin etc...
        ^---no space

UPDATE adlogin [..snip...] WHERE user =" & Me.TextBox1.Text
                                       ^---- is "user" a numeric field? needs quotes if not.
Improve this answer

2 Comments

Whatever is numeric or not, should always have quotes to protect against injection.
quotes don't do anything to prevent injection. proper escaping/sanitization/parameterization do that. If you can inject data, you easily inject a quote.
0

You need to put a space after the * on this line :

Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

to

Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

You also need to put your variable between '

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text

to

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user ='" & Me.TextBox1.Text & "'"

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.