Click here to Skip to main content
15,879,613 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I am using ms access and vb.net, and I'm having the problem in update button error

The error is : syntax error

The code is:

VB
Private Sub btnActualizar_Click(sender As Object, e As EventArgs) Handles btnActualizar.Click
        miConeccion.Open()
        Dim str As String
        str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido '" _
            & txtApe.Text & "' , Seguro Social = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
            & "', Ciudad " & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
            & " Where [NumId] = " & txtNumID.Text & ""
        Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
        Try

            comando.ExecuteNonQuery()

        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
        miConeccion.Close()
    End Sub

Thank You
Posted

1 solution

Equals sign and spaces and quotes, my friend. Equals sign and spaces and quotes...
VB
str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido '" _
    & txtApe.Text & "' , Seguro Social = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
    & "', Ciudad " & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
    & " Where [NumId] = " & txtNumID.Text & ""
Becomes
VB
str = "UPDATE [tblClientes] set Nombre = '" & txtNombre.Text & "', Apellido = '" _
    & txtApe.Text & "' , [Seguro Social] = '" & txtSS.Text & "', ZipCode = '" & txtZipCode.Text _
    & "', Ciudad ='" & txtCiudad.Text & "', Telefono = '" & txtNumT.Text _
    & "' Where [NumId] = " & txtNumID.Text & ""


But don't do it like that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

"Thanks can you refer me a link to learn how to Parametrized the queries instead? Thank You"

Simple (but a cut down version because I'm feeling lazy):
VB
str = "UPDATE tblClientes SET Nombre = @NOM WHERE NumId=@NI"
Dim comando As OleDbCommand = New OleDbCommand(str, miConeccion)
commando.Parameters.AddWithValue("@NOM", txtNombre.Text)
commando.Parameters.AddWithValue("@NI" txtNumID.Text)

You can see that it is easier to read, and it means that I can't destroy your database by typing in the text boxes! :laugh:

Look at Parameters.AddWithValue on MSDN and it will explain more - there are versions for SqlCommand, MySQlCommand, OldbCommand, etc.
 
Share this answer
 
v2
Comments
Joel Sosa Rivera 24-Feb-13 3:56am    
Thanks can you refer me a link to learn how to Parametrized the queries instead? Thank You
OriginalGriff 24-Feb-13 4:17am    
Answer updated - and it'll probably solve your other question as well...

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900