-1
string co = "Update Accounts set password = '" + txtNew.Text + "'  where Username='" + txtUse.Text + "' and Password = '" + txtPas.Text + "'";

Above shows my UPDATE statement. There are no compiler errors or anything, not even any warnings.

Angelo
  • 41
  • 1
  • 8
  • 1
    You need to read up on parameterised queries because your question is about to be bombarded by SQLi comments. – David Pilkington Feb 19 '16 at 07:16
  • What is your _complete_ error message? – Soner Gönül Feb 19 '16 at 07:17
  • What error you get, what data you have in username and password as data may break the sql – Adil Feb 19 '16 at 07:18
  • Strings aren't evaluated by the compiler because he doesn't know that you want to use it as part of your actual logic. Thats why you dont get any warnings or even errors.... –  Feb 19 '16 at 07:18

2 Answers2

1

I strongly suspect this happens because one of your TextBox values contains some of escaping characters like O'Connors or something. But since you didn't told their values, we can't be sure about that.

But more important, you should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks and you don't need to worry about escaping characters since prepared statements automatically handle them.

Also do not store your passwords as a plain text. Read: Best way to store password in database

using(var con = new OleDbConnection())
using(var cmd = con.CreateCommand())
{
   cmd.CommandText = @"Update Accounts set password = @newpass  
                       where Username = @user and Password = @pass";

   cmd.Parameters.Add("@newpass", OleDbType.VarWChar).Value = txtNew.Text;
   cmd.Parameters.Add("@user", OleDbType.VarWChar).Value = txtUse.Text;
   cmd.Parameters.Add("@pass", OleDbType.VarWChar).Value = txtPas.Text;

   con.Open();
   cmd.ExecuteNonQuery();
}
Community
  • 1
  • 1
Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
0
string co = "Update Accounts set password = '" + txtNew.Text + "'  where Username='" + txtUse.Text + "' and Password = '" + txtPas.Text + "'";

Above is your query and the Query contains password and Password.

Near to set you are given password and in where you are given Password

Anoop LL
  • 1,548
  • 2
  • 21
  • 32
  • Case sensitivity depends on database manager settings. So based on that, `Password` and `password` _can_ be the same or not based on this settings. But if OP's database manager would case sensitive, I think this query would return some `Invalid column name..` error instead of `Syntax Error...`. That's why, I don't think that's case here. – Soner Gönül Feb 19 '16 at 07:39