0

Hello guys i have problem with my sentence... I have an EditInfo Page and i want to make that the info u put in textbox will change ur info that u register... And i have a problem with my sentence Can anyone find the problem for me please?

    public static bool EditUser(string userName, string passWord, string firstName, string lastName, string eMail, string cityID)
{
    string connectionStr = @"Provider=Microsoft.Jet.OleDb.4.0;Data Source=|DataDirectory|\DataBase.mdb";
    OleDbConnection connectObj = new OleDbConnection(connectionStr);
    string mySql = "UPDATE Users SET UserPass='" + passWord + "',";
    mySql += "FirstName='" + firstName + "',";
    mySql += "LastName='" + lastName + "',";
    mySql += "Email='" + eMail + "',";
    mySql += "Place='" + cityID + "',";
    mySql += "WHERE UserName='" + userName + "'";
    OleDbCommand myCommandObj = new OleDbCommand(mySql, connectObj);
    connectObj.Open();
    myCommandObj.ExecuteNonQuery();
    connectObj.Close();
    return true;
}

Picture of the problem

  • 1
    Do NOT use string concatenation to create sql queries. It is susceptible for sql injection attacks. Use parameterized queries instead. – Gilad Green Nov 17 '18 at 14:23
  • 1
    The "'," after cityID should not contain a comma but a space toseparate from the WHERE clause. BUT: NEVER construct SQL commands from user input. Use Parameters instaead – Klaus Gütter Nov 17 '18 at 14:24
  • What do you mean Parameters bro –  Nov 17 '18 at 14:32
  • See here https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements – Klaus Gütter Nov 17 '18 at 14:44
  • Can you maybe help me bro? I am working on EditInfo page, For example if i register to my site and want to change data i can go to editinfo page and change it but its not working for me... :( I wrote a question about it and no one helped me yet... –  Nov 17 '18 at 14:48
  • https://stackoverflow.com/questions/53350765/database-doing-problem-with-my-rows-and-with-my-editinfo-html-page –  Nov 17 '18 at 14:48

1 Answers1

0

Missing space?

...
mySql += "Place='" + cityID + "'<<space here no comma>>";
mySql += "WHERE UserName='" + userName + "'";
Štěpán Zechner
  • 144
  • 2