Solve error in update query - sql

I have code that throws an error - I need your help to solve it.
The error is
Syntax error in update statement
My code:
Try
Dim conn As OleDbConnection = New OleDbConnection(My.Resources.ConnectionString)
Dim cmd As OleDbCommand
conn.Open()
Dim Sql As String = "select * from Administretor"
cmd = New OleDbCommand(Sql, conn)
Dim userE, userR As String
userE = txtOldPass.Text
Dim reder As OleDbDataReader = cmd.ExecuteReader()
While reder.Read()
userR = reder.Item(0)
End While
If userE = userR Then
If txtNewPass.Text = txtNewConfromPass.Text And txtNewConfromPass.Text <> "" And txtNewPass.Text <> "" Then
Sql = "UPDATE Administretor SET PASSWORD='" & txtNewPass.Text & " where LogIn_id=" & txtOldPass.Text & ""
Dim cmd0 As OleDbCommand = New OleDbCommand(Sql, conn)
cmd0.ExecuteNonQuery()
Else
MsgBox("Make sure that you have entered new password in both text Box and they both are same...!")
End If
Else
MsgBox("Enter the correct Username")
End If
MsgBox("Done 2")
Catch ex As OleDbException
MsgBox(ex.Message)
End Try

Two errors
"UPDATE Administretor SET PASSWORD='" & txtNewPass.Text & " where LogIn_id=" & txtOldPass.Text & ""
^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| |
Missing single quote here---+ |
|
LogIn_Id will never equal the old password--------------------------------+
But apart from the simple syntax errors you have a huge SQL injection vulnerability from building the SQL out of pieces including user input.

In this part,
"UPDATE Administretor SET PASSWORD='" & txtNewPass.Text & " where ...
The PASSWORD will have a single quote before it, and no single quote after it.
Change it to:
"UPDATE Administretor SET PASSWORD='" & txtNewPass.Text & "' where ...
Notice the extra single quote here ----------------------------------------^

Add this syntax :
Sql = "UPDATE Administretor SET PASSWORD='" & txtNewPass.Text & " where LogIn_id=" & txtOldPass.Text & ""
Clipboard.SetText(Sql)
The query will be in your clipboard. Run it on SQL(whichever you are using), and see if the query runs smoothly?
Please show us what the query generation holds and what the error it produce when running directly from the SQL.

Related

how to reduce quantity using vb.net

has an error (An unhandled exception of type 'System.ArgumentOutOfRangeException' occurred in mscorlib.dll
Additional information: Index and length must refer to a location within the string.)
mycmd.Connection = myconnection.open
Dim dami As Integer = quantityt.Text
mycmd.CommandText = "Update inventory set total_quantity=total_quantity-'" & dami & "' where item_code='" & itemcodet.Text & "'"
mycmd.ExecuteNonQuery()
MsgBox("stocks decrease!!", MsgBoxStyle.Information, "Noticed..")
myconnection.close()
I think you have problem with following line
mycmd.CommandText = "Update inventory set total_quantity=total_quantity-'" & dami & "' where item_code='" & itemcodet.Text & "'"
should be
mycmd.CommandText = "Update inventory set total_quantity=total_quantity-" & dami & " where item_code='" & itemcodet.Text & "'"
dont use apostrophe ' when counting with integer.. apostrophes use only in case of string
I used the SQL server provider for demonstration. Change to whatever database you are using. Check the actual data types of your fields in your database. Open the connection at the last minute. See my comment about Using blocks.
Private Sub OPCode()
Using myconnection As New SqlConnection("Your connection string")
Using mycmd As New SqlCommand("Update inventory set total_quantity = total_quantity - #dami where item_code = #itemCode;", myconnection)
mycmd.Parameters.Add("#dami", SqlDbType.Int).Value = CInt(quantityt.Text)
mycmd.Parameters.Add("#itemCode", SqlDbType.VarChar).Value = itemcodet.Text
myconnection.Open()
mycmd.ExecuteNonQuery()
End Using
End Using
MsgBox("stocks decrease!!", MsgBoxStyle.Information, "Noticed..")
End Sub

VB.net - Syntax error in ms access SQL update query

I have prepared my project in vb.net with access database, but I am getting an error like "syntax error in update statement"
I have used following code:
Dim cn As New OleDb.OleDbConnection
Dim cm As New OleDb.OleDbCommand
cn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\NAV Vikram\DATABASE NAVPREET.mdb"
cn.Open()
cm.Connection = cn
cm.CommandText = "UPDATE DATAENTRY2 set [DIAGNOSIS]='" & TextBox13.Text & "',WHERE[opdno]='" & TextBox1.Text & "' "
cm.ExecuteNonQuery()
Any help would be appreciated.
omit , before WHERE and add space after it. Change:
cm.CommandText = "UPDATE DATAENTRY2 set [DIAGNOSIS]='" & TextBox13.Text & "',WHERE[opdno]='" & TextBox1.Text & "' "
to:
cm.CommandText = "UPDATE DATAENTRY2 set [DIAGNOSIS]='" & TextBox13.Text & "' WHERE [opdno]='" & TextBox1.Text & "' "
Also Use SQL parameters. (Not very keen to vb to show you example)
You have syntax error in your query. Please remove comma (,) you have used before where clause from query, as it is used to separate two different column
Dim cn As New OleDb.OleDbConnection
Dim cm As New OleDb.OleDbCommand
cn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\NAV Vikram\DATABASE NAVPREET.mdb"
cn.Open()
cm.Connection = cn
cm.CommandText = "UPDATE DATAENTRY2 set [DIAGNOSIS]='" & TextBox13.Text & "' WHERE[opdno]='" & TextBox1.Text & "' "
cm.ExecuteNonQuery()

syntax error in FROM clause in vb.net

Dim nm As String
Dim pass As String
nm = TextBox1.Text
pass = TextBox2.Text
Try
cn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Pavilion\Documents\Visual Studio 2010\Projects\WindowsApplication5\Ent.accdb"
cn.Open()
Dim sql As String
sql = "SELECT * FROM user WHERE UName='" & nm & "'AND Pwd='" & pass & "'"
cmd = New OleDbCommand(sql, cn)
dr = cmd.ExecuteReader
While (dr.Read())
If ((nm.Equals(dr(0))) And pass.Equals(dr(1))) Then
MessageBox.Show("Login Sucessful")
End If
End While
Catch ex As Exception
MsgBox("Login Failed :" & ex.Message)
End Try
This code is giving the following error syntax error in FROM clause
#Tim is correct, but I think you might also have problem with your SQL as user is a reserved word. If I execute
SELECT * FROM user WHERE UName='fred' AND Pwd='123'
in SQL Server
I get told Incorrect syntax near the keyword 'user'.
You can overcome this by putting [] around the tablename, i.e.
Select * FROM [user] WHERE UName='fred' AND Pwd='123'
If the code you posted is copy and paste, you're missing a space between the username and the AND keyword.
Your code:
"SELECT * FROM user WHERE UName='" & nm & "'AND Pwd='" & pass & "'"
Should be:
"SELECT * FROM user WHERE UName='" & nm & "' AND Pwd='" & pass & "'"
However, you should use parameterized queries to avoid the possibility of SQL injection attacks. Something like this:
sql = "SELECT * FROM user WHERE UName=#nm AND Pwd=#pass"
cmd = New OleDbCommand(sql, cn)
cmd.Parameters.AddWithValue("#nm", TextBox1.Text)
cmd.Parameters.AddWithValue("#pass", TextBox2.Text)
cmd.CommandType = CommandType.Text
dr = cmd.ExecuteReader
Try
cn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Pavilion\Documents\Visual Studio 2010\Projects\WindowsApplication5\Ent.accdb"
cn.Open()
Dim sql As String
sql = "SELECT * FROM user WHERE UName='" + nm + "'AND Pwd='" + pass + "'"
cmd = New OleDbCommand(sql, cn)
dr = cmd.ExecuteReader
While (dr.Read())
If ((nm.Equals(dr(0))) And pass.Equals(dr(1))) Then
MessageBox.Show("Login Sucessful")
End If
End While
Catch ex As Exception
MsgBox("Login Failed :" & ex.Message)
End Try
"SELECT Firstname FROM [RegUser] where Firstname=#d3 and password=#d4"
i just enclose my table name into brackets and its done.. it works actually
i hope this will help you a lot..

execute multiple command for update vb.net

i am working on a vb project . in this i need to save some record to one table and update some records in another table in one event or click .. i am doing like this .
dim simpan as new sqlcommand
conn = New SqlConnection(connectionstring)
conn.Open()
simpan = New SqlCommand()
simpan.Connection = conn
simpan.CommandType = CommandType.Text
simpan.CommandText = "update barang set (nama_barang,harga)values(" & TextBox3.Text & ",'" & TextBox4.Text & "') where kode_barang = '" & TextBox2.Text & "'"
simpan.ExecuteNonQuery()
tampil()
MsgBox("Data Berhasil Diubah", MsgBoxStyle.Information, "Informasi")
conn.Close()
but it giving error as "incorrect syntax near '('" .. i am not getting where i go wrong .. please help me
I see a couple issues with this...
Your Syntax is wrong on your update statement (Al-3sli beat me to that one).
Your textbox values will cause issues if a user types a single quote in the text box (For Example: The word "Wasn't".
Add the replace function to each textbox TextBox3.text.Replace("'","''") That will replace single ticks with two single ticks.
You might also consider using parameterized queries
You can't use update like this, change your code like so:
simpan.CommandText = "update barang set nama_barang = '" & TextBox3.Text & "',harga ='" & TextBox4.Text & "' where kode_barang = '" & TextBox2.Text & "'"
simpan.ExecuteNonQuery()

Sql query to update new values to column Visual Basic

This is my code:
Dim job As String = TextBoxJobNum.Text
Dim idws As Integer
sqlQuery = "UDATE Equipment SET JobHistory = JobHistory+'" & job & "' WHERE ID = '" & idws & "'"
Dim sqlCmd1 As New SqlCommand(sqlQuery, sqlConn)
If sqlConn.State = ConnectionState.Closed Then sqlConn.Open()
For Each row As DataGridViewRow In DataGridViewEquip.Rows
idws = CInt(row.Cells(0).Value)
sqlCmd1.ExecuteNonQuery()
Next
If sqlConn.State = ConnectionState.Open Then sqlConn.Close()
I get the error "Syntax error near '=' " I have searched everywhere but cant seem to find the
correct Syntax for this line. Any help would be greatly appreciated.
Looks to me like you are just missing a "P" in the word "UPDATE"
sqlQuery = "UPDATE Equipment SET JobHistory = JobHistory+'" & job & "' WHERE ID = '" & idws & "'"
Also I would recommend not setting parameters using string concatenation, but instead use parameters on a SqlCommand object. The reason for this is reducing potential problems such as additional escaping (if the "job" variable contains a "'" for example) or SQL injection.