Why do I always get a Syntax in UPDATE Statement whenever I try to update my records in OleDBSQL?

Question

I always get this error whenever I try to update the record in OleDBSQL. Here is my code:

 private void update(int id, string fname, string user, string pass, string email, string address, string ci, string bday)
    {
        //SQL STMT
        string cmdTxt = "UPDATE tbl_users SET fullName= '" + fname + "', userName='" + user + "', password='" + pass + "', email='" + email + "', address='" + address + "', contactInformation='" + ci + "', birthday='" + bday + "' WHERE ID=" + id + "";
        cmd = new OleDbCommand(cmdTxt, con);

Does this answer your question? [Why do we always prefer using parameters in SQL statements?](https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements) — Charlieface, Oct 15 '22 at 20:42
You **must** paramterize your statements properly, or you will get syntax errors and injection attacks. — Charlieface, Oct 15 '22 at 20:43

score 2 · Accepted Answer · answered Oct 15 '22 at 11:28

I'm guessing that you're using an Access database, in which case "Password" is a reserved word. That means that you need to escape it in the SQL code, i.e. use [Password].

You should also ALWAYS use parameters to insert values into SQL code, not use string concatenation. That's beyond the scope of this answer but you can find details in many places. That will address a number of potential issues, including syntax errors due to single-quotes.

Why do I always get a Syntax in UPDATE Statement whenever I try to update my records in OleDBSQL?

1 Answers1