OleDbException was unhandled…….Syntax error in UPDATE statement

by

You should use SQL parameters. These will not only simplify your code, they will make certain kinds of errors regarding syntax and data types extremely unlikely and protect against SQL injection attacks:

Dim sql = <sql> 
        UPDATE tblPatientsRecord SET [Names] = @p1,
                Licensenumber = @p2, 
                Address = @p3,
                Fullname = @p4,
                Birthday = @p5, 
                [Age] = @p6,
                Country = @p7
        WHERE PatientID = @p8
        </sql>.Value

Using conn = New OleDbConnection(myConnStr),
        cmd As New OleDbCommand(sql, conn)

    conn.Open()

    cmd.Parameters.Add("@p1", OleDbType.VarChar).Value = txtNames.Text
    cmd.Parameters.Add("@p2", OleDbType.VarChar).Value = txtLicensenumber.Text
    ' ...etc
    cmd.Parameters.Add("@p6", OleDbType.Integer).Value = intVar
    cmd.Parameters.Add("@p7", OleDbType.VarChar).Value = strVar

    'the last one is the WHERE
    cmd.Parameters.Add("@p8", OleDbType.VarChar).Value = Convert.ToInt32(lblPatientID.Text)

    cmd.ExecuteNonQuery()
    '... etc

End Using

There are several other commonly seen issues which should be tended to.

  1. DBConnection objects are intended to be created, used and disposed of rather than the same one used over and over. However, you can use a global connection string so you don’t have the same connection string all over the place.

  2. Many of the DBObjects should be disposed of. Using blocks will close and dispose of the connection and command objects. Generally, if something has Dispose method, wrap them in a Using block. The above shows how to “stack” 2 objects (OleDbConnection and OleDbCommand) into one Using statement which reduces indentation.

  3. Use the Add method rather than AddWithValue. This allows you to specify the datataype for each parameter. Without it, the DB Provider must guess which can result in Datatype mismatch or even corrupt the database in some instances.

  4. The WHERE clause is just another parameter. Often people will use Parameters for the first part of the SQL but concatenate for the WHERE clause needlessly.

  5. The above also uses an XML literal to construct the SQL. This is handy for long, complex SQL because you can format and indent it as you like. You can also just use multiple lines to make it readable :

    Dim sql = "UPDATE tblPatientsRecord SET [Names] = @p1, " _
    & "Licensenumber = @p2, " _
    & "Address = @p3, "

  6. If you use SQL reserved words or spaces in table or column names, you must escape the names using [Square Brackets] as shown. It is best not to use either in the names. User, Password Names and Values are commonly seen words used as column or table names which result in SQL syntax errors.

  7. Ticks are not all-purpose SQL field delimiters, they actually indicate that the value being passed is string/text: & "Age="" & txtAge.Text & """. If the DB is set to store Age as a number, your SQL is passing it as text/string which can result in a data type mismatch. The same is true of PatientID and Birthday if it is a date field.

    A common problem concatenating strings for a SQL statements is too many or too few ticks (') in the result. This cant happen with SQL Parameters.

The main purpose for SQL Parameters, though is to prevent an error if the name is “O’Brian” or “O’Reilly” or “Bobby’;DROP TABLE tblPatientsRecord”

These principles apply for other DB providers such asMySql, SQLite and SQLServer. The details such as the exact escape character however will vary.

Note that Access/OleDB doesn’t actually use named parameters as such (@FirstName or even @p2), so will often see params in the form of “?”. This means that you must add the parameter values (Add/AddWithValue) in the same exact order as those columns appear in the SQL.

For more information see:

More Related Contents:

  1. Hangman VB Not Working
  2. VB: Unhandled exception [duplicate]
  3. First time execution was not stopped
  4. TCP Client to Server communication
  5. Random integer in VB.NET
  6. Installer with Online Registration for Windows Application
  7. How to programmatically add controls to a form in VB.NET
  8. Declare global variables in Visual Studio 2010 and VB.NET
  9. VB6 keyword Set what does it mean?
  10. Dynamic button click event handler
  11. When to use StringBuilder? [duplicate]
  12. How to use comparison methods between class object modules in VBA in a similar manner as VB.NET?
  13. System.Data.OracleClient requires Oracle client software version 8.1.7
  14. HTTP GET in VB.NET
  15. Option Strict on by default in VB.NET
  16. Doing math in vb.net like Eval in javascript
  17. Passing parameter to query for Access database
  18. What is the use of a shared variable in VB.NET?
  19. Is VB really case insensitive?
  20. Associating file extensions with a program
  21. Nullable type with inline if cannot work together?
  22. How to add a project as a reference of another project
  23. Is there a possibility to address elements on a website which have no ID?
  24. How to escape double quotes in as a parameter to an NUnit TestCase?
  25. Execute a SQL Stored Procedure and process the results [closed]
  26. Why am I getting, “Object reference not set to an instance of an object.” but no line of code is implicated?
  27. Show checked rows into another DataGridView
  28. How to run DOS/CMD/Command Prompt commands from VB.NET?
  29. VB6 to VB.net conversion [closed]
  30. How to call the Magento API from VB.NET

Leave a Comment