0

I have no idea whats wrong with my Code it keeps giving my an Synxtax error in UPDATE statement here is the code :

  adoQueryUsers.SQL.Clear;
      adoQueryUsers.SQL.Add('Update Users SET Password = "' +
          EdtPassword.Text + '"  where Username = "' + sUsername + '"  ');
      adoQueryUsers.Active := true;
      adoQueryUsers.ExecSQL;

I did try using adoQueryUsers.SQL.Text : = but it gives me the exact same problem.

Improve this question
7
  • does the error persist using ... Password = "' + StringReplace(EdtPassword.Text, '''', '''''', [rfReplaceAll]) + '" where Username ... ? Do the same for sUsername too Commented Oct 8, 2015 at 12:26
  • @fantaghirocco Yes exactly the same error. Commented Oct 8, 2015 at 12:32
  • 2
    Do not inline your values within the SQL! It is pretty unsafe (and slow), due to en.wikipedia.org/wiki/SQL_injection Use parameters! Commented Oct 8, 2015 at 12:37
  • 2
    Also adoQueryUsers.Active := true is not necessary for updates Commented Oct 8, 2015 at 12:40
  • 1
    More reference material: xkcd.com/327 :) Commented Oct 8, 2015 at 12:40

2 Answers 2

Reset to default
2

Remove your 'adoQueryUsers.Active := true;'. This is an update statement and don't return a recordset. Only your ExecSQL is needed.

Also, I would use parameters instead of parsing the password and user directly into the query or you're exposed to SQL injection

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You have several issues in your code.

Let's start with the inappropriate call to

adoQueryUsers.Active := true;

You only use TADOQuery.Active or TADOQuery.Open on a SQL statement that returns a rowset. Your statement does not do so, so remove that statement. The TADOQuery.ExecSQL is the only one that is relevant here.

Next, stop trying to concatenate SQL, and use parameters instead. It's no more code and it properly handles things like quoting values, formatting dates, etc. It also prevents SQL injection issues for you.

adoQueryUsers.SQL.Clear;
adoQueryUsers.SQL.Add('Update Users SET Password = :Password')
adoQueryUsers.SQL.Add('Where UserName = :UserName');
adoQueryUsers.Parameters.ParamByName('Password').Value := EdtPassword.Text;
adoQueryUsers.Parameters.ParamByName('UserName').Value := sUserName;
adoQueryUsers.ExecSQL;
Improve this answer

5 Comments

Thanks but exactly the same error? What else can cause this exact error to happen because i'm sure your code is right and everything now I am wondering if it's something else that is causing this? (Error is Syntax error in UPDATE statement).
Could it be reserved words? I can't see any reference to which database type this query is being run against. Does it make any difference if you parenthesise the table and field names, e.g. UPDATE [Users] SET [Password]=
What database are you connecting to? What happens if you use whatever tool you have to run manual queries (outside Delphi) and run your statement (using the actual values for the field content)? Does it work there?
Im Using Microsoft Access 2003 database( Provider Microsoft.Jet.OLEDB.4.0 ) .. The Username is a Short Text in the database and the password field as well. and I tried parenthesise , the same error.
@IKNOWALONE: Well, that's half of what I asked. What about the second half?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.