Click here to Skip to main content
15,888,733 members
Search within:


need help with my update statement
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
VB
MS-Access
when i run and try to change the password it show error on "da.updatecommand.executenonquery()"
it said "syntax error in update statement"
error code : -2147217900
item:In order to evaluate an indexed property, the property must be qualified and the arguments must be explicitly supplied by the user.
message: Syntax error in UPDATE statement.
source: Microsoft Access Database Engine
do i need parameter? and how i add parameter if i need to?

VB
Sub gantiid()
        sql = "update USERLIST set USERNAME = '" & LOGIN.USERNAME.Text & "', PASSWORD= '" & renew.Text & "' where USERNAME ='" & LOGIN.USERNAME.Text & "'"
        kns.Open()
        da.UpdateCommand = New OleDbCommand(sql, kns)
        da.UpdateCommand.ExecuteNonQuery()
        kns.Close()
    End Sub

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        cariid()

        If ds.Tables("USERLIST").Rows.Count = 0 Then
            MessageBox.Show("You Have Enter Wrong Password", "Warning!")
            oldpass.Clear()
            newpass.Clear()
            renew.Clear()
            oldpass.Focus()
        ElseIf ds.Tables("USERLIST").Rows.Count = 1 And newpass.Text <> renew.Text Then
            MessageBox.Show("New Password And Confirmation Must Be Same!", "Warning!")
            newpass.Clear()
            renew.Clear()
            newpass.Focus()
        ElseIf ds.Tables("USERLIST").Rows.Count = 1 And newpass.Text = renew.Text Then
            gantiid()
            MessageBox.Show("Password Change Is Successful!", "Notice")
            Me.Close()
        End If
    End Sub
Posted
Updated 13-Jan-15 3:22am
v5
Add a Solution
Comments
Thanks7872 12-Jan-15 23:25pm    
Remove unnecessary code and keep only the part you have problem with. Use Improve question link to do the same.
vendir 13-Jan-15 9:19am    
i have improved it
Richard Deeming 13-Jan-15 9:25am    
Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

2 solutions

Start by fixing the SQL Injection[^] vulnerability in your code.

Also, there's no point updating the USERNAME column to the same value, so you can remove that part of the query.

You'll also need to wrap the PASSWORD column in square brackets (ie: [PASSWORD]), as it's a reserved word in Access.
VB
Sub gantiid()
    ' The OleDb provider doesn't use named parameters:
    sql = "update USERLIST set [PASSWORD] = ? where USERNAME = ?"

    kns.Open()
    da.UpdateCommand = New OleDbCommand(sql, kns)
    da.UpdateCommand.Parameters.AddWithValue("p0", renew.Text)
    da.UpdateCommand.Parameters.AddWithValue("p1", LOGIN.USERNAME.Text)
    da.UpdateCommand.ExecuteNonQuery()
    kns.Close()
End Sub


Once you've fixed that, you then need to review your password storage. You're currently storing passwords in plain-text, which is a really bad idea. You should be storing a salted hash of the password - see: Salted Password Hashing - Doing it Right[^]
 
Share this answer
 
Posted
Updated 14-Jan-15 1:46am
v2
Comments
vendir 13-Jan-15 23:39pm    
how can i fix the sql injection?
i have copied the fixed code but it still not working?
is salted password hashing can work with access db too?
Richard Deeming 14-Jan-15 7:47am    
Using a parameterized query (as per my answer) will fix the SQL injection vulnerability.

You'll also need to wrap PASSWORD in square brackets, as it's a reserved word in Access.
vendir 14-Jan-15 9:32am    
yes it is working..
thank you
is there any conditions that we need to use parameter other than this?
Richard Deeming 14-Jan-15 14:49pm    
I'm not sure what you mean?
vendir 14-Jan-15 22:31pm    
what parameter used for?
in what condition we need to use parameter? on this case we need it to build a sql query. sorry but i'm beginner on this thing
You may have problems with updating the field USERNAME. By your code it looks like the USERNAME field is indexed and unique. You might try:

sql = "update USERLIST set PASSWORD= '" & renew.Text & "' where USERNAME ='" & LOGIN.USERNAME.Text & "'"
 
Share this answer
 
Posted
Comments
vendir 13-Jan-15 9:18am    
i have tried it but it have same result and error
Richard Deeming 13-Jan-15 9:26am    
You have copied the SQL Injection[^] vulnerability from the question.

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
bojammis 23-Jan-15 15:21pm    
Thanks for pointing that out. Taking your advise, I am changing my sqlCommands to use parameters. Thanks
bojammis 13-Jan-15 12:10pm    
Good point but I would still consider and use the following: Some cases using string concatenation is acceptable. It is taking the steps to reject any string parts that violate your rules for SQL injection. My apologies - I didn't see that you are working on an Access DB my comments maybe null and void.
vendir 14-Jan-15 9:32am    
thank you too
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
order by in update statement
I need to create custom column using conditional statement.
need help update statement in sql servr
Proper format of declaring an update statement SQL
Syntax Error on Update Statement
Syntax error in update statement
I really need help fixing my errors
Need help in with move statement in sql
Update statement for datagridview
need help with my update code

Advertise
Privacy
Cookies
Terms of Use
Last Updated 14 Jan 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900