+- LCKB (https://lckb.dev/forum)
+-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109)
+--- Forum: Programmers Gateway (https://lckb.dev/forum/forumdisplay.php?fid=196)
+---- Forum: Coders Talk (https://lckb.dev/forum/forumdisplay.php?fid=192)
+---- Thread: MySQL Syntax Error (/showthread.php?tid=2076)
- Paramount - 08-03-2013
Hello guys! Look at my code:
{
"UPDATE bg_user SET user_id=",
this.textBox36.Text,
", passwd=",
this.textBox37.Text,
", cash=",
this.textBox45.Text,
", email=",
this.textBox42.Text,
" WHERE user_code=",
this.textBox43.Text,
}
It says me You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near , passwd=*******, cash=0, email=***@***.com WHERE user_co at line 1
Any idea how to fix it?
Thanks in advanced.
- ReturnKratos - 08-03-2013
can work like that ?
{
"UPDATE bg_user SET user_id=" & this.textBox36.Text & ", passwd=" & this.textBox37.Text & ", cash=" & this.textBox45.Text & ", email=",this.textBox42.Text & " WHERE user_code=" & this.textBox43.Text & ";"
}
- someone - 08-03-2013
"UPDATE bg_user SET user_id=", // missing after user_id=
this.textBox36.Text,
", passwd=",
this.textBox37.Text,
", cash=",
this.textBox45.Text,
", email=",
this.textBox42.Text,
" WHERE user_code=", // error missing
this.textBox43.Text, //an array does not end with ,
The result would be something like this :
UPDATE bg_user SET user_id=, passwd=, cash=, email= WHERE user_code=
Instead of using string.concat i suggest concatenating strings with + because 1 its much easier to use and is less memory usage(if the application were to execute a query every second it will allocate a lot of uses memory in a short time.)
A proper way to write it is simple:
string query = "UPDATE bg_user SET " +
"user_id=" + this.textBox36.Text + "," +
"passwd=" + this.textBox37.Text + "," +
"cash=" + this.textBox45.Text + "," +
"email=" + this.textBox42.Text + " " +
"WHERE user_code=" + this.textBox43.Text + "";
@ReturnKratos
The operator & is the string concatenation for visual basic, it will not work in the other .net languages, instead of the operator & I suggest using the operator4 +, since it works in VB and other .net languages language, even outside .net like java or javascript, or python, etc
- Paramount - 08-03-2013
Fixed! Thanks someone and ReturnKratos for you help!!!
- Wizatek - 08-04-2013
MySqlCommand cmd = new MySqlCommand("UPDATE bg_user SET user_id = @uname, passwd = @pwd, cash = @cash, email = @email WHERE user_code = @uid", sqlcon);
cmd.Prepare();
cmd.Parameters.AddWithvalue("@uname", textBox36.Text);
cmd.Parameters.AddWithvalue("@passwd", textBox37.Text);
// etc etc etc
cmd.ExecuteNonQuery();
This way your strings will get escaped automatically, and its also mysql injection safe for how far thats needed
- ReturnKratos - 08-04-2013
"UPDATE bg_user SET user_id=", // missing after user_id=
this.textBox36.Text,
", passwd=",
this.textBox37.Text,
", cash=",
this.textBox45.Text,
", email=",
this.textBox42.Text,
" WHERE user_code=", // error missing
this.textBox43.Text, //an array does not end with ,
The result would be something like this :
UPDATE bg_user SET user_id=, passwd=, cash=, email= WHERE user_code=
Instead of using string.concat i suggest concatenating strings with + because 1 its much easier to use and is less memory usage(if the application were to execute a query every second it will allocate a lot of uses memory in a short time.)
A proper way to write it is simple:
string query = "UPDATE bg_user SET " +
"user_id=" + this.textBox36.Text + "," +
"passwd=" + this.textBox37.Text + "," +
"cash=" + this.textBox45.Text + "," +
"email=" + this.textBox42.Text + " " +
"WHERE user_code=" + this.textBox43.Text + "";
@ReturnKratos
The operator & is the string concatenation for visual basic, it will not work in the other .net languages, instead of the operator & I suggest using the operator4 +, since it works in VB and other .net languages language, even outside .net like java or javascript, or python, etc
Ok thanks for the info.