Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: SQL ADO.NET Access VB.NET
I am using ms access and vb.net, and I'm having the problem in update button error
 
The error is : syntax error
 
The code is:

Private Sub btnActualizar_Click(sender As Object, e As EventArgs) Handles btnActualizar.Click
        miConeccion.Open()
        Dim str As String
        str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido '" _
            & txtApe.Text & "' , Seguro Social = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
            & "', Ciudad " & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
            & " Where [NumId] = " & txtNumID.Text & ""
        Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
        Try
 
            comando.ExecuteNonQuery()
 
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
        miConeccion.Close()
    End Sub
 
Thank You
Posted 23-Feb-13 22:48pm

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Equals sign and spaces and quotes, my friend. Equals sign and spaces and quotes...
        str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido '" _
            & txtApe.Text & "' , Seguro Social = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
            & "', Ciudad " & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
            & " Where [NumId] = " & txtNumID.Text & ""
Becomes
        str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido = '" _
            & txtApe.Text & "' , [Seguro Social] = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
            & "', Ciudad ='" & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
            & "' Where [NumId] = " & txtNumID.Text & ""
 
But don't do it like that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
 
"Thanks can you refer me a link to learn how to Parametrized the queries instead? Thank You"
 
Simple (but a cut down version because I'm feeling lazy):
str = "UPDATE tblClientes SET Nombre = @NOM WHERE NumId=@NI"
Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
commando.Parameters.AddWithValue("@NOM", txtNombre.Text)
commando.Parameters.AddWithValue("@NI" txtNumID.Text)
You can see that it is easier to read, and it means that I can't destroy your database by typing in the text boxes! Laugh | :laugh:
 
Look at Parameters.AddWithValue on MSDN and it will explain more - there are versions for SqlCommand, MySQlCommand, OldbCommand, etc.
  Permalink  
v2
Comments
Joel Sosa Rivera at 24-Feb-13 3:56am
   
Thanks can you refer me a link to learn how to Parametrized the queries instead? Thank You
OriginalGriff at 24-Feb-13 4:17am
   
Answer updated - and it'll probably solve your other question as well...

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 DamithSL 320
1 OriginalGriff 195
2 Afzaal Ahmad Zeeshan 154
3 Zoltán Zörgő 149
4 Peter Leow 115
0 OriginalGriff 7,510
1 DamithSL 5,519
2 Sergey Alexandrovich Kryukov 4,994
3 Maciej Los 4,936
4 Kornfeld Eliyahu Peter 4,514


Advertise | Privacy | Mobile
Web02 | 2.8.141223.1 | Last Updated 24 Feb 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100