Sql error in asp.net c#

If you please help me out i have an error in my code that i can not understand it.

the error is:

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near 'Login'.

and my code:

 public static void ChangePassword(strin开发者_运维技巧g login, string password)
    {
        var sqlCon = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
        string query = @"update Organizer set Password ="+ password + "where Login=" + login + "";
        SqlCommand cmd = new SqlCommand(query, sqlCon);
        cmd.CommandType = CommandType.Text;
        try
        {
            sqlCon.Open();
            cmd.ExecuteNonQuery();
            sqlCon.Close();
        }
        catch (Exception ee) { throw ee; }
    }

---

• We've seen enough sql injection attacks, we don't need another one, please fix your code and use parameters.
• Use using blocks to avoid leaking connections.
• Install an exception handler like ELMAH.

• Don't save passwords in the database

  using (var sqlCon = new SqlConnection(...))
  {
      string query = @"update Organizer set Password =@password where Login=@login";
      SqlCommand cmd = new SqlCommand(query, sqlCon);
      cmd.CommandType = CommandType.Text;
      cmd.Parameters.Add("@password", SqlDbType.VarChar, 8000);
      cmd.Parameters["@password"].Value = password;  
      cmd.Parameters.Add("@login", SqlDbType.VarChar, 8000);
      cmd.Parameters["@login"].Value = login;  
  
      sqlCon.Open();
      cmd.ExecuteNonQuery();
      sqlCon.Close();
  

  }

---

Try

string query = @"update Organizer set Password ='"+ password + "' where Login= '" + login + "'"; 

You are missing the ' around string, that being said you are likely very open to sql injection attacks ( Im guessing because of the code, and lack of a clearing function).

Also make sure your not storing passwords in plain text :)

The ' is used like " in sql.

---

If you were going to use the code above, your issue is that you're not wrapping the new password or login in single quotes:

 string query = 
     @"update Organizer set Password = '" + 
       password + 
       "' where Login= '" + login + "'";

But I wouldn't use that code at all. It's quite dangerous since it allows people to pass in arbitrary SQL. I would use parameterized queries instead:

var query = "update organizer set password = @password where login = @login";
var command = new SqlCommand(query, sqlCon);

command.Parameters.Add("@password", SqlDbType.VarChar, 100, password);
command.Parameters.Add("@login", SqlDbType.VarChar, 100, login);

---

You need single quotes...

set Password = ' /*<---*/ "+ password + "' /*<---*/  where Login=' /*<---*/ " + login + "' /*<---*/ "