0

フィールドのデータ型が「テキスト」であるMSAccessのテーブルを更新しようとしています。しかし、コードを実行すると、UPDATEステートメントにsysntaxエラーが表示されます。これが私のvbコードです:

Dim user As String Dim password As String Dim dtT As New DataTable

    Dim cmd As New OleDb.OleDbCommand

    user = Me.TextBox1.Text
    password = Me.TextBox2.Text


    If Not cnn.State = ConnectionState.Open Then

        cnn.Open()
    End If
    Try
        Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

        ' MsgBox("STUDENT SAVED!!", MsgBoxStyle.MsgBoxRight)

        daA.Fill(dtT)
        Me.DG1.DataSource = dtT


        'password = DG1.Item(0, 0).Value
        'ss1 = DG1.Item(1, 0).Value

        If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then


            cmd.Connection = cnn
            cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text
            System.Console.WriteLine(cmd.CommandText)

            Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo)

            If result = DialogResult.Yes Then
                cmd.ExecuteNonQuery()
                MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight)
                Panel1.Hide()
            End If


        Else
            MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical)

        End If
        cnn.Close()

    Catch ex As Exception
        MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical)
    End Try
4

3 に答える 3

2

SQLコマンドの作成に文字列連結を使用しないでください。常にパラメータを使用する
これにより、2つの問題が解決されます。文字列内の一重引用符ですが、最も重要なことは、SQLインジェクション攻撃を回避することです。

Dim cmd As New OleDb.OleDbCommand 
user = Me.TextBox1.Text 
password = Me.TextBox2.Text 

If Not cnn.State = ConnectionState.Open Then 
    cnn.Open() 
End If 

Try 
    Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE `password` =?", cnn) 
    daA.SelectCommand.Parameters.AddWithValue("@pass", password);
    daA.Fill(dtT) 
    Me.DG1.DataSource = dtT 


    If user = DG1.Item(1, 0).Value And password = DG1.Item(0, 0).Value Then 
        cmd.Connection = cnn 
        cmd.CommandText = "UPDATE adlogin SET `password` = ? WHERE `user` = ?" 
        Dim result = MsgBox("Change Administrator password!!! Are you sure?", MsgBoxStyle.YesNo) 
        If result = DialogResult.Yes Then 
            cmd.Parameters.AddWithValue("@pass", Me.TextBox3.Text)
            cmd.Parameters.AddWithValue("@user", user)
            cmd.ExecuteNonQuery() 
            MsgBox("PassWord Changed", MsgBoxStyle.MsgBoxRight) 
            Panel1.Hide() 
        End If 
    Else 
        MsgBox("INVALID PASSWORD", MsgBoxStyle.Critical) 
    End If 
    cnn.Close() 
Catch ex As Exception 
    MsgBox("INVALID PASSWORD " & ex.Message, MsgBoxStyle.Critical) 
End Try
于 2012-07-20T18:12:33.747 に答える
0

この行の*の後にスペースを入れる必要があります:

Dim daA As New OleDb.OleDbDataAdapter("SELECT *FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

Dim daA As New OleDb.OleDbDataAdapter("SELECT * FROM adlogin WHERE password='" & Me.TextBox2.Text & "'", cnn)

また、変数を'の間に置く必要があります

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user =" & Me.TextBox1.Text

cmd.CommandText = "UPDATE adlogin SET password ='" & Me.TextBox3.Text & "' WHERE user ='" & Me.TextBox1.Text & "'"

于 2012-07-20T17:12:11.650 に答える
0

いくつかのこと:

SELECT *FROM adlogin etc...
        ^---no space

UPDATE adlogin [..snip...] WHERE user =" & Me.TextBox1.Text
                                       ^---- is "user" a numeric field? needs quotes if not.
于 2012-07-20T17:12:34.023 に答える