开发者

i m getting error in the following cede. (System.Data.OleDb.OleDbException: ORA-00933: SQL command not properly ended)

protected void save_Click(object sender, EventArgs e)
    {
        OleDbConnection conn = null;
        try
        {

            string connString = "Provider=OraOLEDB.Oracle;Data Source=127.0.0.1;User ID=SYSTEM;Password=SYSTEM;Unicode=True";
            conn = new OleDbConnection(connString);
            conn.Open();
            string strQuery = "update login set fname ='" + TextBox4.Text + "开发者_Go百科' and lname='" + TextBox5.Text + "' and place='" + TextBox6.Text + "' and dob='" + TextBox7.Text + "' where uname='" + Label1.Text + "'";
            OleDbCommand obCmd = new OleDbCommand(strQuery, conn);
            OleDbDataReader obReader = obCmd.ExecuteReader();

          }
        catch (OleDbException ex)
        {
            Response.Write("Send failure: " + ex.ToString());

        }
        catch (Exception exe)
        {
            Response.Write(exe.Message);
        }
        finally
        {
            if (null != conn)
            {
                conn.Close();
            }
        }
    }


the update query syntax is wrong. You cannot use AND while setting multiple columns. It should be seperated by comma.

string strQuery = "update login set fname ='" + TextBox4.Text + "',lname='" + 
TextBox5.Text + "',place='" + TextBox6.Text + "',dob='" + TextBox7.Text + 
"' where uname='" + Label1.Text + "'";


The values must be separated with a comma and there is one big problem in this code. Imagine what happens when someone puts the following into TextBox4:

' where 1 = 1 --

The result would be a table where all entries would be overwritten

update login set fname ='' where 1 = 1 --', lname='bla' ....

Use DbParameter instead:

string strQuery = @"
update LOGIN set
FNAME = :FNAME,
LNAME = :LNAME,
PLACE = :PLACE,
DOB   = :DOB
where 
UNAME = :UNAME
";

OleDbCommand obCmd = new OleDbCommand(strQuery, conn);
obCmd.Parameters.AddWithValue(":FNAME", TextBox4.Text);
obCmd.Parameters.AddWithValue(":LNAME", TextBox5.Text);
obCmd.Parameters.AddWithValue(":PLACE", TextBox6.Text);
obCmd.Parameters.AddWithValue(":DOB", TextBox7.Text);
obCmd.Parameters.AddWithValue(":UNAME", Label1.Text);

OleDbDataReader obReader = obCmd.ExecuteReader();

For Oracle the : should indicate a parameter (it's a @ for Sybase and MS SQL). I named all params like the target columns, but you can use other names of course.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜