Click here to Skip to main content
12,512,314 members (66,545 online)
Rate this:
 
Please Sign up or sign in to vote.
See more: VB SQL ADO.NET Access VB.NET
I am using ms access and vb.net, and I'm having the problem in update button error

The error is : syntax error

The code is:

Private Sub btnActualizar_Click(sender As Object, e As EventArgs) Handles btnActualizar.Click
        miConeccion.Open()
        Dim str As String
        str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido '" _
            & txtApe.Text & "' , Seguro Social = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
            & "', Ciudad " & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
            & " Where [NumId] = " & txtNumID.Text & ""
        Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
        Try
 
            comando.ExecuteNonQuery()
 
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
        miConeccion.Close()
    End Sub
Thank You
Posted 23-Feb-13 21:48pm

1 solution

Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

Equals sign and spaces and quotes, my friend. Equals sign and spaces and quotes...
str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido '" _
    & txtApe.Text & "' , Seguro Social = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
    & "', Ciudad " & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
    & " Where [NumId] = " & txtNumID.Text & ""
Becomes
str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido = '" _
    & txtApe.Text & "' , [Seguro Social] = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
    & "', Ciudad ='" & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
    & "' Where [NumId] = " & txtNumID.Text & ""

But don't do it like that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

"Thanks can you refer me a link to learn how to Parametrized the queries instead? Thank You"

Simple (but a cut down version because I'm feeling lazy):
str = "UPDATE tblClientes SET Nombre = @NOM WHERE NumId=@NI"
Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
commando.Parameters.AddWithValue("@NOM", txtNombre.Text)
commando.Parameters.AddWithValue("@NI" txtNumID.Text)
You can see that it is easier to read, and it means that I can't destroy your database by typing in the text boxes! :laugh:

Look at Parameters.AddWithValue on MSDN and it will explain more - there are versions for SqlCommand, MySQlCommand, OldbCommand, etc.
  Permalink  
v2
Comments
Joel Sosa Rivera 24-Feb-13 3:56am
   
Thanks can you refer me a link to learn how to Parametrized the queries instead? Thank You
OriginalGriff 24-Feb-13 4:17am
   
Answer updated - and it'll probably solve your other question as well...

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Mobile
Web02 | 2.8.160929.1 | Last Updated 24 Feb 2013
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100