Login

Paramount · 08-03-2013, 06:55 PM

Hello guys! Look at my code:

{
"UPDATE bg_user SET user_id=",
this.textBox36.Text,
", passwd=",
this.textBox37.Text,
", cash=",
this.textBox45.Text,
", email=",
this.textBox42.Text,
" WHERE user_code=",
this.textBox43.Text,
}

It says me You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near , passwd=*******, cash=0, email=***@***.com WHERE user_co at line 1

Any idea how to fix it?

Thanks in advanced.

ReturnKratos · 08-03-2013, 07:56 PM

can work like that ?

{
"UPDATE bg_user SET user_id=" & this.textBox36.Text & ", passwd=" & this.textBox37.Text & ", cash=" & this.textBox45.Text & ", email=",this.textBox42.Text & " WHERE user_code=" & this.textBox43.Text & ";"
}

someone · 08-03-2013, 08:07 PM

"UPDATE bg_user SET user_id=", // missing after user_id=
this.textBox36.Text,
", passwd=",
this.textBox37.Text,
", cash=",
this.textBox45.Text,
", email=",
this.textBox42.Text,
" WHERE user_code=", // error missing
this.textBox43.Text, //an array does not end with ,

The result would be something like this :

UPDATE bg_user SET user_id=, passwd=, cash=, email= WHERE user_code=
Instead of using string.concat i suggest concatenating strings with + because 1 its much easier to use and is less memory usage(if the application were to execute a query every second it will allocate a lot of uses memory in a short time.)

A proper way to write it is simple:

string query = "UPDATE bg_user SET " +
"user_id=" + this.textBox36.Text + "," +
"passwd=" + this.textBox37.Text + "," +
"cash=" + this.textBox45.Text + "," +
"email=" + this.textBox42.Text + " " +
"WHERE user_code=" + this.textBox43.Text + "";
@ReturnKratos

The operator & is the string concatenation for visual basic, it will not work in the other .net languages, instead of the operator & I suggest using the operator4 +, since it works in VB and other .net languages language, even outside .net like java or javascript, or python, etc

Paramount · 08-03-2013, 10:40 PM

Fixed! Thanks someone and ReturnKratos for you help!!!

Wizatek · 08-04-2013, 04:09 PM

MySqlCommand cmd = new MySqlCommand("UPDATE bg_user SET user_id = @uname, passwd = @pwd, cash = @cash, email = @email WHERE user_code = @uid", sqlcon);

cmd.Prepare();

cmd.Parameters.AddWithvalue("@uname", textBox36.Text);

cmd.Parameters.AddWithvalue("@passwd", textBox37.Text);

// etc etc etc

cmd.ExecuteNonQuery();
This way your strings will get escaped automatically, and its also mysql injection safe for how far thats needed

ReturnKratos · 08-04-2013, 05:21 PM

"UPDATE bg_user SET user_id=", // missing after user_id=
this.textBox36.Text,
", passwd=",
this.textBox37.Text,
", cash=",
this.textBox45.Text,
", email=",
this.textBox42.Text,
" WHERE user_code=", // error missing
this.textBox43.Text, //an array does not end with ,

The result would be something like this :

UPDATE bg_user SET user_id=, passwd=, cash=, email= WHERE user_code=
Instead of using string.concat i suggest concatenating strings with + because 1 its much easier to use and is less memory usage(if the application were to execute a query every second it will allocate a lot of uses memory in a short time.)

A proper way to write it is simple:

string query = "UPDATE bg_user SET " +
"user_id=" + this.textBox36.Text + "," +
"passwd=" + this.textBox37.Text + "," +
"cash=" + this.textBox45.Text + "," +
"email=" + this.textBox42.Text + " " +
"WHERE user_code=" + this.textBox43.Text + "";
@ReturnKratos

The operator & is the string concatenation for visual basic, it will not work in the other .net languages, instead of the operator & I suggest using the operator4 +, since it works in VB and other .net languages language, even outside .net like java or javascript, or python, etc

Ok thanks for the info.

Login
Username/Email:
Password:	Lost Password?
	Remember me