I am getting an error when I try to update records in my access database

StackOverflow https://stackoverflow.com/questions/13898551

Question

I have a small program that connects to an access database, and what I am trying to do is update(edit) a selected record via an edit form. When I execute my code, I get this error:

System.Data.OleDb.OleDbException was unhandled
  Message=Syntax error (missing operator) in query expression '5346 S. Eubank blvd'.
  Source=Microsoft Access Database Engine
  ErrorCode=-2147217900

Needless to say, it is for the Address field..

Here is my code block:

private void saveChangeBtn_Click(object sender, EventArgs e)
{
    Customer.SetCustID(Convert.ToInt32(editIdTB.Text));
    Customer.SetFirstName(editFirstNameTB.Text);
    Customer.SetLastName(editFirstNameTB.Text);
    Customer.SetAddress(editAddressTB.Text);
    Customer.SetPhoneNum(editPhoneTB.Text);
    Customer.SetEmail(editEmailTB.Text);

    using (OleDbConnection connect = new OleDbConnection(connectionString))
    {
        OleDbCommand cmd = new OleDbCommand();
        connect.Open();

        cmd.Connection = connect;
        cmd.CommandText = "UPDATE Customers SET [Customer ID]=" + Customer.GetCustId() +
            ", [First Name]=" + Customer.GetFirstName() +
            ", [Last Name]=" + Customer.GetLastName() +
            ", [Address]=" + Customer.GetAddress() +
            ", [Phone Number]=" + Customer.GetPhoneNum() +
            ", [Email Address]=" + Customer.GetEmailAddress() + 
            ", WHERE [Customer ID]=" + editIdTB.Text + "";
        cmd.ExecuteNonQuery();
        connect.Close();
        MessageBox.Show("Changes made successfully!", "Success!", MessageBoxButtons.OK);
    }
    this.Close();
}
Was it helpful?

Solution

Try this

cmd.CommandText = "UPDATE Customers SET [First Name]='" + Customer.GetFirstName() +
            "', [Last Name]='" + Customer.GetLastName() +
            "', [Address]='" + Customer.GetAddress() +
            "', [Phone Number]='" + Customer.GetPhoneNum() +
            "', [Email Address]='" + Customer.GetEmailAddress() + 
            "' WHERE [Customer ID]=" + editIdTB.Text;

OTHER TIPS

I think the problem you have is the comma before WHERE. Try remove that and give it a try.

It would be easier to diagnostics if you can capture the exact sql your executing, and try to run it in a query browser.

Also, I recommend you to use string.format when you are constructing the sql. For a better solution, try LINQ to SQL or Entity Framework.

you need to put quotes around the values. that should solve the main problem here.

however, you have a pretty enormous security flaw here. google "sql injection" and you'll see that a bad guy can seriously ruin your week by putting malicious text into the editIfTB textbox

Apart from security vulnernability, constructing queries this way will still have a stability problem. As soon as one of your data fields includes an apostrophe, the SQL will break again (e.g. surname O'Neill). Best practice is to supply all data values via parameters; it avoids the need to concatenate in all those single-quotes/apostrophes, won't be sensitive to data values, and won't have a security vulnerability.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top