0

In my winforms application i want to update database values using form. i managed to create every other part get to work other than this.when i tried to update my database it giving me some strange sql error. i have not idea what's wrong with my code

it shows me error like this

you have an error in your sql syntax check the manual that corresponds to your mysql server version

and this is the code that i used to update the database.can someone please check this code for me 

 private void button1_Click(object sender, EventArgs e)
    {


        string constring = string.Format("datasource='{0}';username=***************;port=3306;password=**********;Connect Timeout=20000;Command Timeout=28800", serverip.Text);

        string Query = "update wartif.userdata set (citrixpass= '" + this.citrix_pass_box.Text + " ', idmpass = '" + this.IDM_pass_box.Text + "' , mortracpass = '" + this.mortrac_pass_box.Text + "' , detpass = '" + this.DET_pass_box.Text + "' where username = '" + this.Pwloggeninaslable.Text + "' ;";   
        MySqlConnection conwaqDatabase = new MySqlConnection(constring);
        MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase);
        MySqlDataReader myreader;

        try
        {
            conwaqDatabase.Open();
            myreader = cmdwaqDatabase.ExecuteReader();
            while (myreader.Read()) { }

        }


        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }





    }
rafalefighter
  • 714
  • 2
  • 11
  • 39

1 Answers1

3

You open a parenthesis before the SET clause (not needed) but you forget to close it at the end

However, let me show you how you should write this code to avoid sql injection and parsing problems

string constring = .....;
string Query = @"update wartif.userdata set citrixpass=@ctx, idmpass = @idm, 
                 mortracpass = @mtc, detpass = @det where username = @usr;";   
using(MySqlConnection conwaqDatabase = new MySqlConnection(constring))
using(MySqlCommand cmdwaqDatabase = new MySqlCommand(Query, conwaqDatabase))
{
    try
    {
        conwaqDatabase.Open();
        cmdwaqDatabase.Parameters.AddWithValue("@ctx", this.citrix_pass_box.Text);
        cmdwaqDatabase.Parameters.AddWithValue("@idm", this.IDM_pass_box.Text);
        cmdwaqDatabase.Parameters.AddWithValue("@mtc", this.mortrac_pass_box.Text);
        cmdwaqDatabase.Parameters.AddWithValue("@det", this.DET_pass_box.Text);
        cmdwaqDatabase.Parameters.AddWithValue("@usr", this.Pwloggeninaslable.Text);
        int rowsUpdated = cmdwaqDatabase.ExecuteNonQuery();

     }
     catch (Exception ex)
     {
         MessageBox.Show(ex.Message);
     }
 }

In this way you don't need to worry about malicious user that tries to break your code with an Sql Injection attack, your query string is more readable and you don't need to worry about passing strings that contains single quote or correctly formatting dates and decimals

Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286