我想在我的m / s访问数据库中更新一个表,我的用户输入了一个新密码以替换旧密码,但我在update语句中有语法错误。请帮忙!
public partial class resetPassword : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void SubmitButton_Click(object sender, EventArgs e)
{
string userName = (string) Session["username"];
string str = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\inetpub\wwwroot\JetStar\database\JetstarDb.accdb";
var con = new OleDbConnection(str);
con.Open();
string pwd = Request.Form["conPassword"];
OleDbCommand cmd = new OleDbCommand("UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'", con);
try
{
cmd.ExecuteNonQuery();
MessageBox.Show("Your password has been changed successfully.");
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
finally
{
con.Close();
}
}
}
答案 0 :(得分:4)
可能会发生这种情况,因为password
是Microsoft Access上的reserved keyword。您应该使用方括号作为[password]
您应始终使用parameterized queries。这种字符串连接对SQL Injection攻击开放。
不要将密码存储为纯文本。阅读:Best way to store password in database
使用using
statement处理您的OleDbConnection
和OleDbCommand
。
using(OleDbConnection con = new OleDbConnection(str))
using(OleDbCommand cmd = con.CreateCommand())
{
cmd.CommandText = "UPDATE [users] SET [password] = ? WHERE username = ?";
cmd.Parameters.Add("pass", OleDbType.VarChar).Value = pwd;
cmd.Parameters.Add("user", OleDbType.VarChar).Value = userName;
con.Open();
try
{
cmd.ExecuteNonQuery();
MessageBox.Show("Your password has been changed successfully.");
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
答案 1 :(得分:2)
92.3%(a)如果你在使用它之前打印该命令并且读取错误,那么所有数据库问题都会变得很明显消息。
所以替换:
OleDbCommand cmd = new OleDbCommand("UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'", con);
有类似的东西:
String s = "UPDATE [users] SET password = '" + pwd + "' WHERE username = '" + userName + "'";
Console.WriteLine(s);
OleDbCommand cmd = new OleDbCommand(s, con);
然后发布结果:
Response.Write(ex.Message);
让所有人看到,并仔细检查它非常的内容。
(a)我刚刚从无处拨出的统计数据 - 实际价值可能会大不相同。