As
ppolymorphe stated, the syntax is an invitation for SQL Injection, and you should review those articles. Wouldn't want to have to refer to you as "Little Bobby Tables" in the future...
While the OleDB class doesn't support named parameters[1], they do use the
AddWithValue method which has named parameters. What you must do is add the parameters in the same order as they appear in the query
I prefer to do it this with as it is mirrors the syntax when working with AdoDB and SQL server.
The following lines should replace the corresponding lines in your
Try block:
string squery = "update users set Password=? where userId= ?";
cmd = new OleDbCommand(squery, mconn);
cmd.Parameters.AddWithValue("@Password", txtnewpassword.Text);
cmd.Parameters.AddWithValue("@userId", id);
References:
[1]
OleDbCommand.Parameters Property[
^]
The OLE DB .NET Provider does not support named parameters for passing parameters to an SQL statement or a stored procedure called by an OleDbCommand when CommandType is set to Text. In this case, the question mark (?) placeholder must be used.