Syntax Error in FROM Clause - MS. Access - vb.net

Here's the code :
str = "select * from user where username= '" & txtUsername.Text & "' & password = '" & txtPassword.Text & "'"
perintah = New OleDbCommand(str, conn)
reader = perintah.ExecuteReader()
If reader.Read Then
MessageBox.Show("login success")
Else
MessageBox.Show("login failed")
End If

Most likely the immediate issue is that "user" is a reserved word. Not 100% sure about Access but it is in most databases. Try escaping it, i.e. "[user]", and see if that fixes it.
I also just noticed that you are using "&" where "AND" is the operator you need. I believe that "password" is a reserved word too, so escape that also.
You still have other potential issues there too though. Using string concatenation to insert values into SQL code is a recipe for disaster, not only potentially causing syntax errors but, even worse, opening you up to SQL injection. Read this for more information. In this case specifically, do something like this:
str = "SELECT * FROM [user] WHERE username = #username AND [password] = #password"
perintah = New OleDbCommand(str, conn)
perintah.Parameters.Add("#username", OleDbType.VarChar, 50).Value = txtUsername.Text
perintah.Parameters.Add("#password", OleDbType.VarChar, 50).Value = txtPassword.Text

Related

How to resolve the syntax error in UPDATE statement

What is wrong with this code? I did everything but I still get a
syntax error in UPDATE statement
Dim konfirmasi As String = MsgBox("Yakin data ingin diubah ?", vbQuestion + vbYesNo, "Konfirmasi")
If konfirmasi = vbYes Then
SqlQuery = "Update Tabel_Pengguna set " & _
"Username = '" & txtUsername.Text & "'," & _
"Password ='" & txtPassword.Text & "' where Kode_Pengguna = '" & txtKodePengguna.Text & "'"
CMD = New OleDbCommand(SqlQuery, DB)
CMD.ExecuteNonQuery()
MsgBox("Data berhasil diubah", vbInformation, "Informasi")
To make MsgBox work you would need to use the bitwise Or operator. This function returns a MsgBoxResult not a String. I suggest you change to the .net MessageBox and leave the old VB6 code behind.
Private Sub OPCode()
'Dim konfirmasi As MsgBoxResult = MsgBox("Yakin data ingin diubah ?", vbQuestion Or vbYesNo, "Konfirmasi")
Dim konfirmasi As DialogResult = MessageBox.Show("Yakin data ingin diubah ?", "Konfirmasi", MessageBoxButtons.YesNo, MessageBoxIcon.Question)
If konfirmasi = DialogResult.Yes Then
UpdatePengguna(txtUsername.Text, txtPassword.Text, txtKodePengguna.Text)
End If
End Sub
Keep connection local to the method where they are used so they can be closed and disposed with Using...End Using blocks. In this code both the connection and the command are included in the Using block; note the comma at the end of the first line of the Using.
Always use parameters to avoid Sql injection. With OleDb the names of the parameters are ignored but we use descriptive names to make reading the code easier. It is the order that matters. The order that the parameters appear in the Sql statement must match the order which the parameters are added to the parameters collection. You will have to check your database for the correct datatypes and field sizes. I suspect Kode_Pengguna might be a numeric type. If so, be sure the change the datatype of the passed in parameter PenKode.
I believe you are neglecting to open your connection unless your are passing around open connections (be still my heart!). Open the connection at the last minute, directly before the .Execute... and close it as soon as possible with the End Using.
Private Sub UpdatePengguna(UserName As String, Password As String, PenKode As String)
Using cn As New OleDbConnection(ConStr),
cmd As New OleDbCommand("Update Tabel_Pengguna Set [UserName] = #Username, [Password] = #Password Where Kode_Pengguna = #Kode;", cn)
cmd.Parameters.Add("#Username", OleDbType.VarChar, 100).Value = UserName
cmd.Parameters.Add("#Password", OleDbType.VarChar, 100).Value = Password
cmd.Parameters.Add("#Kode", OleDbType.VarChar, 100).Value = PenKode
cn.Open()
cmd.ExecuteNonQuery()
End Using
MessageBox.Show("Data berhasil diubah", "Informasi", MessageBoxButtons.OK, MessageBoxIcon.Information)
End Sub
I really hope you are not saving passwords as plain text.

No value given for one or more required parameters error vb.net

no_hp = TextBox1.Text
alamat = TextBox2.Text
password = TextBox3.Text
cmd = New OleDbCommand("UPDATE [user] SET no_hp = '" & CInt(TextBox1.Text) & "',alamat = " & TextBox2.Text & ", pin ='" & CInt(TextBox3.Text) & "' WHERE id = " & id & "", conn)
cmd.Connection = conn
cmd.ExecuteReader()
i was trying to update my access database with the following error
i cant seem to see where i did wrong
i already changed the data type from the textbox to match with the data types used in the database
the no_hp and pin is integer so i converted it to Cint but it doesnt seem to work
i already tried to substitute it to a variable but still it didnt work
please tell me where i did wrong
Use Parameters to avoid SQL injection, a malious attack that can mean data loss. The parameter names in Access do not matter. It is the order that they are added which must match the order in the SQL statement that matters.
The Using...End Using statements ensure that you objects are closed and disposed even it there is an error. This is most important for connections.
You con't need to set the connection property of the command because you passed the connection in the constructor of the command.
ExcuteReader is for retrieving data. Use ExecuteNonQuery to update, insert of delete.
Private Sub UpdateUsers()
Using conn As New OleDbConnection("Your connection string")
Using cmd = New OleDbCommand("UPDATE [user] SET no_hp = ?,alamat = ?, pin =? WHERE id = ?", conn)
cmd.Parameters.Add("nohp", OleDbType.Integer).Value = CInt(TextBox1.Text)
cmd.Parameters.Add("alamat", OleDbType.VarChar).Value = TextBox2.Text
cmd.Parameters.Add("pword", OleDbType.Integer).Value = CInt(TextBox3.Text)
cmd.Parameters.Add("id", OleDbType.Integer).Value = id
conn.Open()
cmd.ExecuteNonQuery()
End Using
End Using
End Sub

Concatenate database query result to a string

I am trying to take the single result from a SQL query and concatenate it to a string. Using SQL Server and Visual Studios.
Dim Password As SqlDataReader
cmd.CommandText = "Select Password from tblLogin where Username = '" & UsernameTextBox.Text & "' and EmailAddress = '" & EmailAddressTextBox.Text & "'"
Password = cmd.ExecuteReader
EmailMessage.Body = ("Your password is: " & Password)
The error I am getting is that I cannot use the operator & with Password.
The Password variable in your code is a SQLDataReader object, not a string. It can have many values, so you need to get the part you want out of it. (https://msdn.microsoft.com/en-us/library/haa3afyz(v=vs.110).aspx?cs-save-lang=1&cs-lang=vb#code-snippet-2)
If Password.HasRows Then
Do While Password.Read()
EmailMessage.Body = ("Your password is: " & Password.GetString(0))
Loop
Else
Console.WriteLine("No rows found.")
End If
I would also recommend changing the Password SQLDataREader to a different name, just to make it less confusing.

syntax error in FROM clause in vb.net

Dim nm As String
Dim pass As String
nm = TextBox1.Text
pass = TextBox2.Text
Try
cn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Pavilion\Documents\Visual Studio 2010\Projects\WindowsApplication5\Ent.accdb"
cn.Open()
Dim sql As String
sql = "SELECT * FROM user WHERE UName='" & nm & "'AND Pwd='" & pass & "'"
cmd = New OleDbCommand(sql, cn)
dr = cmd.ExecuteReader
While (dr.Read())
If ((nm.Equals(dr(0))) And pass.Equals(dr(1))) Then
MessageBox.Show("Login Sucessful")
End If
End While
Catch ex As Exception
MsgBox("Login Failed :" & ex.Message)
End Try
This code is giving the following error syntax error in FROM clause
#Tim is correct, but I think you might also have problem with your SQL as user is a reserved word. If I execute
SELECT * FROM user WHERE UName='fred' AND Pwd='123'
in SQL Server
I get told Incorrect syntax near the keyword 'user'.
You can overcome this by putting [] around the tablename, i.e.
Select * FROM [user] WHERE UName='fred' AND Pwd='123'
If the code you posted is copy and paste, you're missing a space between the username and the AND keyword.
Your code:
"SELECT * FROM user WHERE UName='" & nm & "'AND Pwd='" & pass & "'"
Should be:
"SELECT * FROM user WHERE UName='" & nm & "' AND Pwd='" & pass & "'"
However, you should use parameterized queries to avoid the possibility of SQL injection attacks. Something like this:
sql = "SELECT * FROM user WHERE UName=#nm AND Pwd=#pass"
cmd = New OleDbCommand(sql, cn)
cmd.Parameters.AddWithValue("#nm", TextBox1.Text)
cmd.Parameters.AddWithValue("#pass", TextBox2.Text)
cmd.CommandType = CommandType.Text
dr = cmd.ExecuteReader
Try
cn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Pavilion\Documents\Visual Studio 2010\Projects\WindowsApplication5\Ent.accdb"
cn.Open()
Dim sql As String
sql = "SELECT * FROM user WHERE UName='" + nm + "'AND Pwd='" + pass + "'"
cmd = New OleDbCommand(sql, cn)
dr = cmd.ExecuteReader
While (dr.Read())
If ((nm.Equals(dr(0))) And pass.Equals(dr(1))) Then
MessageBox.Show("Login Sucessful")
End If
End While
Catch ex As Exception
MsgBox("Login Failed :" & ex.Message)
End Try
"SELECT Firstname FROM [RegUser] where Firstname=#d3 and password=#d4"
i just enclose my table name into brackets and its done.. it works actually
i hope this will help you a lot..

How to Update Password

I'm trying to change a password. Can you look for this and tell what's wrong? Some times I get a Syntax error in the UPDATE statement or even it is working the password didn't change in database. Here's my code:
Dim sqlquery As String = "UPDATE tblLogin SET pword = ? WHERE pword = '" & txtnewpass.Text & "' "
Dim sqlcmd As New OleDbCommand(sqlquery, con)
sqlcmd.Parameters.AddWithValue("#pword", txtnewpass.Text)
con.Open()
sqlcmd.ExecuteNonQuery()
con.Close()
MessageBox.Show("Your password has been changed", "Change Password", MessageBoxButtons.OK, MessageBoxIcon.Information)
Thank you for your help
I don't know VB and VB SQL Syntax by heart, but a Quick Look at your code shows that there are at least two mistakes.
"UPDATE tblLogin SET pword = ?
should be
"UPDATE tblLogin SET pword = #pword
The
WHERE pword = '" & txtnewpass.Text & "' "
should be
WHERE pword = '" & txtoldpass.Text & "' "
Or make it with #param as well. You are trying to change password which doesn't exists yet.
Besides that, passwords should be encrypted in the database, and you shouldn't match (where clause) just by password. What if 2 users have the same password? You will change both user's passwords;)