rfazendeiro Posted November 9, 2005 Posted November 9, 2005 hi to all, I'm currently workin in a aplication that is requires user autentication. I'm using vs 2003 and access. Now when i run my app the login form shows up for the user to input its username and password. If it's the first time that the user is loging in (the password is blank) a form shows up to allow the user to change his password. When the user submits it's new password, the password is encripted and a query is submited, like the example below UPDATE Utilizadores SET User_password='.w\"2H�XՏ,1\0#~@�MV_KTF�*uX�lhN[*\tЭ#\aE', User_reset=0 where User_id=1 to execute the query i use the following code [csharp] public static int ExecuteNonQuery(string query) { OdbcConnection cs; OdbcCommand cmd; try { cs = OdbcConnection connection = new OdbcConnection("APP"); cmd = new OdbcCommand(query, cs); cs.Open(); cmd.ExecuteNonQuery(); cs.Close(); return 0; } catch(OdbcException ex) { MessageBox.Show("Método: ExecuteNonQuery\r\n" + ex.ToString(), "ERROR", MessageBoxButtons.OK, MessageBoxIcon.Error); return -2; } } [/csharp] it's here that i get the error. System.Data.Odbc.OdbcException:ERROR[42000][Microsoft][ODBC Microsoft Access Driver] Syntax error in string query expression ''.w\"2H�XՏ,1' The stange thing is the if i run the exact same query directly in access the query returns no error. Can anybody help? Quote
kejpa Posted November 9, 2005 Posted November 9, 2005 Somehow it seems like the ODBC-driver thinks the string ends at \0. Could it be that it treats those two characters as end of string delimiters? If I were you I'd use a parameterized query instead of what seems like a concatenated statement. There are lot's of threads here about parameterized queries HTH /Kejpa Quote
TheWizardofInt Posted November 9, 2005 Posted November 9, 2005 I have had the same thing happen to me What I do now is scrub my encryptions and force normal letters and numbers onto them It might seem less secure and, in fact, it is, but there can come a day when you want to write your program into a Web app, and a minor inconvenience becomes a major heartache Quote Read the Fovean Chronicles Because you just can't spend your whole day programming!
Administrators PlausiblyDamp Posted November 9, 2005 Administrators Posted November 9, 2005 Or use parameterised queries like kejpa suggested as this will not be any less secure, is more maintainable and isn't open to exploits such as SQL injections. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
rfazendeiro Posted November 10, 2005 Author Posted November 10, 2005 Thx for the replies! parameterised queries did the trick for me! thx for the help. If anybody want to know how to create a store procedure im access and them use it in .NEt here is a link Store procedures in Access Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.