I am implementing a login form using C# and MySQL, The user should enter his/her username and password then select if he/she is a student, instructor or admin.
then I want to check if entered values are correct , here is my code:
connection.Open();
MySqlCommand cmd = new MySqlCommand();
cmd.CommandText = "Select * from #userType where username=#user and password=#pass";
cmd.Parameters.AddWithValue("#userType", userType);
cmd.Parameters.AddWithValue("#user", user);
cmd.Parameters.AddWithValue("#pass", pass);
cmd.Connection = connection;
MySqlDataReader login = cmd.ExecuteReader();
But the query didn't work !
the error message :
MySql.Data.MySqlClient.MySqlException, HResult=0x80004005,
Message=You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''student' where username='noor123' and password='123456'' at
line Source=MySql.Data
what is the error ?
The SQL query generated by that code is:
Select * from 'student' where username="noor123" and password="123456"
The table can't be inside '' as that's not correct SQL syntax.
You can't use the parameter for the table name, do this instead, this way you won't get '' for the table name:
connection.Open();
MySqlCommand cmd = new MySqlCommand();
cmd.CommandText = "Select * from " + userType.ToString() + " where username=#user and password=#pass";
cmd.Parameters.AddWithValue("#user", user);
cmd.Parameters.AddWithValue("#pass", pass);
cmd.Connection = connection;
MySqlDataReader login = cmd.ExecuteReader();
If this is just an assignment and not a real-world program then do the following.
Make sure variables userType, user and pass are of type String.
Make sure that userType represents a syntactically correct table or view name.
Update this line cmd.CommandText = $"Select * from {userType} where username=#user and password=#pass";
Remove this line cmd.Parameters.AddWithValue("#userType", userType);
I believe that should help. I didn't check myself.
However in real world you shouldn't program it this way. There are many security considerations when dealing with authentication/authorization not mentioning the possibility for sql injection. If this is a real project then I recommend you to read appropriate materials regarding the subject.
I have this code for inserting data into database using Windows forms application.
But I get this error
Could not find stored procedure 'sp_insert'
I am not using any external server and it's a Local db
UPDATE: it seemed that I don't have a stored procedure so I tried to create one but it throws another error
CREATE PROCEDURE sp_insert
#UserName varchar(20),
#Password varchar(18),
#Email varchar(50),
#Name varchar(20),
#Surname varchar(20)
AS
-- here the error occurs "error near syntax" but User is my table name
-- and it's correct I don't know what is the problem is
INSERT INTO User (UserName, Password, Email, Name, Surname)
VALUES (#UserName, #Password, #Email, #Name, #Surname)
C# code:
SqlConnection con = new SqlConnection(#"Data Source= (LocalDB)\v11.0;AttachDbFilename=D:\TaxiBooking\TaxiBooking\TaxiBooking\Registraion.mdf;Integrated Security=True;");
SqlCommand cmd = new SqlCommand("sp_insert", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("#UserName",txtUser.Text);
cmd.Parameters.AddWithValue("#Password", txtPassword.Text);
cmd.Parameters.AddWithValue("#Email", txtEmail.Text);
cmd.Parameters.AddWithValue("#Name", txtName.Text);
cmd.Parameters.AddWithValue("#Surname", txtSurname.Text);
con.Open();
cmd.ExecuteNonQuery();
why don't you try dbo.sp_insert.
SqlCommand cmd = new SqlCommand("dbo.sp_insert", con);
You are using a reserved word:
Change
INSERT INTO User( UserName,Password,Email,Name,Surname)
to
INSERT INTO [User]( UserName,Password,Email,Name,Surname)
Try to avoid the use of terms that look like they will be shared with the OS or application you are coding against. You will save yourself some headaches.
I am trying to insert into a database from Excel, and I've got all values from Excel. When I insert into my database I get Factal Exception. How do I recover from this exception?
MySqlCommand commd = new MySqlCommand();
commd.Connection = OpenConnection();
commd.CommandText = "INSERT INTO sqa_tracking(IID,STARTDATE,ENDDATE,WEEK,SUPPLIER,LINENO,ORDER_ID,BRCARID,PAGE_FIRST,PAGE_LAST,PAGE_COUNT,ARTICLE_NO,COUNT_LINENO,TOTAL_NR_OF_ITEMS,CAR_SUPPLIER,CONTENT_PROVIDER_NAME,MANIFESTATION,FACTOR,UNITS,DATE_OF_SUBMISSION,UNITS_KEY,COUNT_UNITS_KEY,TOTAL_NR_OF_UNITS,ERRORS,KPI_ERRORS,OBII_ELEMENT,CAR_FIELD_NAME,ERROR_TYPE,WRONG_CAPTURE_IN_FILE,CORRECT_CAPTURE_WOULD_BE,REPEATING_IN_CAR,SOURCE_FILE_TYPE,FULL_AUTOM_CONV,ERROR_IN_SOURCE_FILE,ROOT_CAUSE_OF_THE_ERROR,PREVENTIVE_MEASURES,DATE_OF_IMPLEMENTATION,DATE_OF_TRANSMISSION,VALIDATED) VALUES (#IID,#STARTDATE,#ENDDATE,#WEEK,#SUPPLIER,#LINENO,#ORDER_ID,#BRCARID,#PAGE_FIRST,#PAGE_LAST,#PAGE_COUNT,#ARTICLE_NO,#COUNT_LINENO,#TOTAL_NR_OF_ITEMS,#CAR_SUPPLIER,#CONTENT_PROVIDER_NAME,#MANIFESTATION,#FACTOR,#UNITS,#DATE_OF_SUBMISSION,#UNITS_KEY,#COUNT_UNITS_KEY,#TOTAL_NR_OF_UNITS,#ERRORS,#KPI_ERRORS,#OBII_ELEMENT,#CAR_FIELD_NAME,#ERROR_TYPE,#WRONG_CAPTURE_IN_FILE,#CORRECT_CAPTURE_WOULD_BE,#REPEATING_IN_CAR,#SOURCE_FILE_TYPE,#FULL_AUTOM_CONV,#ERROR_IN_SOURCE_FILE,#ROOT_CAUSE_OF_THE_ERROR,#PREVENTIVE_MEASURES,#DATE_OF_IMPLEMENTATION,#DATE_OF_SUBMISSION,#VALIDATED) ";
commd.Parameters.AddWithValue("#STARTDATE", StartDate);
commd.Parameters.AddWithValue("#ENDDATE", EndDate);
commd.Parameters.AddWithValue("#WEEK", Week);
commd.Parameters.AddWithValue("#SUPPLIER", Supplier);
commd.Parameters.AddWithValue("#LINENO", LineNo);
commd.Parameters.AddWithValue("#ORDER_ID", ORDERID);
commd.Parameters.AddWithValue("#BRCARID", "");
commd.Parameters.AddWithValue("#PAGE_FIRST", PageFirst);
commd.Parameters.AddWithValue("#PAGE_LAST", Pagelast);
commd.Parameters.AddWithValue("#PAGE_COUNT", Pagecount);
commd.Parameters.AddWithValue("#ARTICLE_NO", ArticleNo);
commd.Parameters.AddWithValue("#COUNT_LINENO", COUNTLineNo);
commd.Parameters.AddWithValue("#TOTAL_NR_OF_ITEMS", Totalnrofitems);
commd.Parameters.AddWithValue("#CAR_SUPPLIER", CARSupplier);
commd.Parameters.AddWithValue("#CONTENT_PROVIDER_NAME", ContentProvidename);
commd.Parameters.AddWithValue("#MANIFESTATION", Manifestation);
commd.Parameters.AddWithValue("#FACTOR", AU);
commd.Parameters.AddWithValue("#UNITS", Units);
commd.Parameters.AddWithValue("#DATE_OF_SUBMISSION", Dateoftransmission);
commd.Parameters.AddWithValue("#UNITS_KEY", unitskey);
commd.Parameters.AddWithValue("#COUNT_UNITS_KEY", COUNTunitskey);
commd.Parameters.AddWithValue("ERRORS", Errors);
commd.Parameters.AddWithValue("#KPI_ERRORS", KPIErrors);
commd.Parameters.AddWithValue("#OBII_ELEMENT", OBIIElement);
commd.Parameters.AddWithValue("#CAR_FIELD_NAME", CARFieldname);
commd.Parameters.AddWithValue("#ERROR_TYPE", Errortype);
commd.Parameters.AddWithValue("#IID", IID);
commd.Parameters.AddWithValue("#WRONG_CAPTURE_IN_FILE", Wrongcaptureinfile);
commd.Parameters.AddWithValue("#CORRECT_CAPTURE_WOULD_BE", Correctcapturewouldbe);
commd.Parameters.AddWithValue("#REPEATING_IN_CAR", RepeatinginCAR);
commd.Parameters.AddWithValue("#SOURCE_FILE_TYPE", Sourcefiletype);
commd.Parameters.AddWithValue("#FULL_AUTOM_CONV", FulAutomConv);
commd.Parameters.AddWithValue("#ERROR_IN_SOURCE_FILE", Errorinsourcefile);
commd.Parameters.AddWithValue("#ROOT_CAUSE_OF_THE_ERROR", RootCauseoftheError);
commd.Parameters.AddWithValue("#PREVENTIVE_MEASURES", PreventiveMeasures);
commd.Parameters.AddWithValue("#DATE_OF_IMPLEMENTATION", DateofImplementation);
commd.Parameters.AddWithValue("#VALIDATED", Validated);
commd.ExecuteNonQuery();`
I used inline query and I got the parameter values from DataTable.
Always remember that fatal error occurred during command execution only because of incorrect parameters value name.
so correct the parameter value to avoid fetal errors during command execution
You have not provided parameter value for TOTAL_NR_OF_UNITS & DATE_OF_TRANSMISSION.
Also Please follow the order in your insert query and while adding parameters, makes it easier to troubleshoot.
commd.Parameters.AddWithValue("#TOTAL_NR_OF_UNITS",TotalNrOfUnits);
commd.Parameters.AddWithValue("#DATE_OF_TRANSMISSION", DateOfTransmission);
Either this . . .
SqlCommand cmd = new SqlCommand("insert into tbl_insert values (#id,#name,#Email,#City)");
cmd.Parameters.AddWithValue("#id", Convert.ToInt32(txtId.Text));
cmd.Parameters.AddWithValue("#name", txtName.Text);
cmd.Parameters.AddWithValue("#Email", txtEmail.Text);
cmd.Parameters.AddWithValue("#City", txtboxCity.Text);
...or this...
con.Open();
SqlCommand cmd = new SqlCommand(#"insert into tbl_insert values(#name,#email,#add)", con);
cmd.Parameters.AddWithValue("#name", txtname.Text);
cmd.Parameters.AddWithValue("#email", txtemail.Text);
cmd.Parameters.AddWithValue("#add", txtadd.Text);
cmd.ExecuteNonQuery();
con.Close();
...should work fine.
Can I use MySql Stored Procedure for my Mono C# Gtk+ app for Ubuntu?
I have try with..
using MySql.Data.MySqlClient;
// Prepare connecting to the database.
myConn = new MySqlConnection("server=localhost;database=table;uid=root;password=1234;");
cmd = myConn.CreateCommand();
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = #"Call newRow()";
myConn.Open();
cmd.ExecuteNonQuery();
myConn.Close();
If I just make and hardcode sql string in my program, it work!
Like..
cmd.CommandText = #"insert into table ...
The problem is with the:
cmd.CommandType = CommandType.StoredProcedure
-Line.
If you get an error with the Open call, your connection string is wrong. That has nothing to do with your command.
That said, I think your command should only contain the stored procedures name. Just "newRow" without any additional database syntax like call or empty brackets.
Ok so.. Just remove the..
cmd.CommandType = CommandType.StoredProcedure
The MySql.Data.MySqlClient do not need this option to do Stored Procedure :)
I think its a logic error as I can access my local database fine. My error code looks like this:
SQL logic error or missing database
SQLiteConnection myConnection = new SQLiteConnection();
myConnection.ConnectionString = #"Data Source= C:\Users\Lewis Elliott\Desktop\banklist.sqlite3";
using (myConnection)
{
string SQL = "INSERT INTO recipes (Index, name, serves, description, information, method_1, method_2, key, cost, calories, carbs, fat, protein, sodium, sugar, type, is_populated) VALUES";
SQL += "(#Index, #name, #serves, #description, #information, #method_1, #method_2, #key, #cost, #calories, #carbs, #fat, #protein, #sodium, #sugar, #type, #is_populated)";
SQLiteCommand cmd = new SQLiteCommand(SQL);
cmd.Connection = myConnection;
cmd.Parameters.AddWithValue("#Index", Guid.NewGuid());
cmd.Parameters.AddWithValue("#name", nameBox.Text);
cmd.Parameters.AddWithValue("#serves", servesBox.Text);
cmd.Parameters.AddWithValue("#description", descriptionBox.Text);
cmd.Parameters.AddWithValue("#information", informationBox.Text);
cmd.Parameters.AddWithValue("#method_1", method1Box.Text);
cmd.Parameters.AddWithValue("#method_2", method2Box.Text);
cmd.Parameters.AddWithValue("#key", keyBox.Text);
cmd.Parameters.AddWithValue("#cost", costBox.Text);
cmd.Parameters.AddWithValue("#calories", caloriesBox.Text);
cmd.Parameters.AddWithValue("#carbs", carbsBox.Text);
cmd.Parameters.AddWithValue("#fat", fatbox.Text);
cmd.Parameters.AddWithValue("#protein", proteinBox.Text);
cmd.Parameters.AddWithValue("#sodium", sodiumBox.Text);
cmd.Parameters.AddWithValue("#sugar", sugarBox.Text);
cmd.Parameters.AddWithValue("#type", typeBox.Text);
cmd.Parameters.AddWithValue("#is_populated", isPopulatedBox.Text);
myConnection.Open();
cmd.ExecuteNonQuery();
myConnection.Close();
Can anyone see any errors in this logic?