0
connect()
        MD = "update EmpRec set ('" & TextBox1.Text & "','" & TextBox2.Text & "','" & TextBox3.Text & "', '" & TextBox4.Text & "', '" & TextBox5.Text & "','" & ComboBox2.Text & "','" & ComboBox3.Text & "','" & Label3.Text & "','" & ComboBox4.Text & "','" & ComboBox5.Text & "','" & TextBox7.Text & "','" & TextBox8.Text & "','" & TextBox9.Text & "','" & Label19.Text & "','" & Label22.Text & "','" & Label25.Text & "','" & TextBox6.Text & "','" & TextBox10.Text & "')"
        comm = New OleDbCommand(MD, conn)
        comm.ExecuteNonQuery()
        MsgBox("Done!", MsgBoxStyle.Information)
        grid()
        TextBox1.Clear()
        TextBox2.Clear()
        TextBox3.Clear()
        TextBox4.Clear()
        TextBox5.Clear()
        DataGridView1.Refresh()
        TextBox2.Enabled = False
        TextBox3.Enabled = False
        TextBox4.Enabled = False
        TextBox5.Enabled = False
  End Sub
Alex K.
  • 171,639
  • 30
  • 264
  • 288
Jecho
  • 1
  • 4
    You *really* need to change that to a [parameterized query](http://stackoverflow.com/questions/5468425/how-do-parameterized-queries-help-against-sql-injection), then revisit if whatever problem you have is still present. – Alex K. Mar 25 '15 at 12:21
  • Do you have any error? – the_lotus Mar 25 '15 at 12:42
  • You cannot use that command in any VS ever released and also not against any database system that I know of. Please [look at the correct syntax](http://www.w3schools.com/SQl/sql_update.asp), then stop a bit and study what is [Sql Injection](http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work) – Steve Mar 25 '15 at 13:02
  • You're passing in values to your SQL but not telling the UPDATE which columns to SET. Also, you're outputting "Done!" to the user without actually checking whether anything's been done. The lack of parameters in your query as Alex K points out is bad enough, but you really need to get some error handling in there. At the very least, put it in a Try Catch. You know what would be even better than a parameterized query? A nice stored procedure. Wouldn't that be lovely? I love a good stored procedure, personally. – Jonathon Cowley-Thom Mar 25 '15 at 14:48

1 Answers1

0

This is not the way to write an UPDATE statement. Try to see what MD looks like. it will probably be something like update EmpRec set ('asdf','zxcv','qwer'... Where are the column names? Also, as Alex K. wrote in the comment, You really need to change that to a parameterized query.

Zohar Peled
  • 79,642
  • 10
  • 69
  • 121
  • I suspect Jecho is trying to do an INSERT. The lack of a WHERE predicate on his statement seems very odd for an UPDATE, unless he only expects there to be a single row in the table (which is entirely possible, if it's something like a settings form etc). – Jonathon Cowley-Thom Mar 25 '15 at 14:52
  • @JonathonCowley-Thom I really have no Idea if it's an insert or an update attempt. whatever it is, clearly it can't be done with the code Jecho posted. as a side note - we agree about stored procedures :-) – Zohar Peled Mar 25 '15 at 14:59