paulhudson Posted April 17, 2005 Posted April 17, 2005 I have an asp.net page that enables an administrator to reset users passwords. Having entered an unique username and a new password an SQL query is generated. The NEW field in the database is set as Yes/No, if set to Yes then on logon the user is expected to change the password. The following SQL line is generated: UPDATE tbUsers SET new='1', password='xyz' WHERE Username='Under10' But in trying to perform the update the following error occurs: ERROR: Syntax error in UPDATE statement I have tried running the SQL line from a query within the Access database and it works fine. The actual code that generates the SQL line is as follows: sSQL = "UPDATE tbUsers SET new='1', password='" & NewPassword & "' WHERE Username='" & Username & "'" This has me stumped - any suggestions would be greatly appreciated. Quote
HJB417 Posted April 17, 2005 Posted April 17, 2005 try using sSQL = "UPDATE tbUsers SET [new]='1', [password]='" & NewPassword & "' WHERE [username]='" & Username & "'" Also, get in the habit of using parameters sSQL = "UPDATE tbUsers SET [new]=@new, [password]=@NewPassword WHERE [username]=@Username" or sSQL = "UPDATE tbUsers SET [new]=?, [password]=? WHERE [username]=?" there is no reason not to use parameters when a data provider supports it. Quote
paulhudson Posted April 18, 2005 Author Posted April 18, 2005 Thankyou! The square brackets worked a treat. I have gotten to using parameters but only when using stored procedures (or saved queries in Access). Is there any benefit in using them otherwise - excepting of course the adage of employing good practice? Thankyou once again. Quote
HJB417 Posted April 18, 2005 Posted April 18, 2005 using parameters stops sql injection attacks and some databases cache parameterized queries. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.