is this the correct statement if not plz help me correct it.
String query = "delete from favourite where username=" +
Session["username"].ToString() + "and id=" + id;
If your question is purely about SQL, then yes, what you have will work. But, as you have it, you have a very serious security problem. Google "SQL injection attacks". I'm not sure what you are using for data access (ADO.NET? Entiry Framework? Dapper?) But regardless, you'll want to use parameters:
var sql = "delete from favourite where username=#username and id=#id";
and then:
cmd.Parameters.AddWithValue("#username", Session["username"].ToString());
cmd.Parameters.AddWithValue("#id", id);
But even then, AddWithValue isn't the best way, because it can cause type conversion issues once the query hits the database. You are better off doing it longhand:
var userNameParam = new SqlParameter("username", SqlDbType.VarChar);
userNameParam.Value = Session["username"].ToString();
var idParam = new SqlParameter("id", SqlDbType.Int);
idParam .Value = id;
command.Parameters.Add(salaryParam);
command.Parameters.Add(idParam );
datofreg is of type datetime
my command is
SqlCommand cmd = new SqlCommand("insert into stud(datofreg) values('"+DateTime.Now+"'",conn);
when i execute it says Incorrect syntax near '1/6/2014 12:45:17 AM'.
Your problem is you are missing ) at the end of your query but don't use this way..
"insert into stud(datofreg) values('" + DateTime.Now + "')"
^^here
You should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.
For example;
SqlCommand cmd = new SqlCommand("insert into stud(datofreg) values(#date)", conn);
cmd.Parameters.AddWithValue("#date", DateTime.Now);
cmd.ExecuteNonQuery();
I'm trying to add values from a textbox into a datagridview, I have asked this question before but I'm now getting a different error saying
There are more columns in the INSERT statement than values specified in the VALUES clause. The number of values in the VALUES clause must match the number of columns specified in the INSERT statement.
This is the code causing the error
private void SaveBtn_Click(object sender, EventArgs e)
{
SqlConnection sc = new SqlConnection();
SqlCommand com = new SqlCommand();
sc.ConnectionString = ("Data Source=localhost;Initial Catalog=LoginScreen;Integrated Security=True");
sc.Open();
com.Connection = sc;
com.CommandText = ("INSERT INTO Stock (Prod_ID, Prod_Name, Prod_Cat, Supplier, Cost, Price_1, Price_2, Price_3) VALUES ('"+ProdID.Text+"''"+ProdName.Text+"'+'"+ProdCat.Text+"'+'"+ProdSup.Text+"'+'"+ProdCost.Text+"'+'"+ProdPrice1.Text+"'+'"+ProdPrice2.Text+"'+'"+ProdPrice3.Text+"');");
com.ExecuteNonQuery();
sc.Close();
}
my database
The direct cause of the error is omitted commas (",") in the "value" section of the query.
You should have put it like that
VALUES ('"+ProdID.Text+"', '"+ProdName.Text+", '+'"+ProdCat.Text+", '+'"+ProdSup.Text+...
instead of
VALUES ('"+ProdID.Text+"''"+ProdName.Text+"'+'"+ProdCat.Text+"'+'"+ProdSup.Text+...
Your code is also vulnerable to so called SQL-injection attack (imagine someone has put
'" delete from Stock --' into ProdID.Text: the execution'll result in Stock table
clearance)
The recommended way looks something like this:
using(SqlConnection sc = new SqlConnection()) {
sc.ConnectionString = "Data Source=localhost;Initial Catalog=LoginScreen;Integrated Security=True";
sc.Open();
using (SqlCommand com = sc.CreateCommand()) {
com.CommandText =
"insert into Stock(\n" +
" Prod_Id,\n" +
" Prod_Name,\n" +
" Prod_Cat,\n" +
" Supplier,\n" +
" Cost,\n" +
" Price_1,\n" +
" Price_2,\n" +
" Price_3)\n" +
"values(\n" +
" #prm_Prod_Id,\n" +
" #prm_Prod_Name,\n" +
" #prm_Prod_Cat,\n" +
" #prm_Supplier,\n" +
" #prm_Cost,\n" +
" #prm_Price_1,\n" +
" #prm_Price_2,\n" +
" #prm_Price_3)";
//TODO: Change my arbitrary "80" to actual Stock fields' sizes!
com.Parameters.Add("#prm_Prod_Id", SqlDbType.VarChar, 80).Value = ProdID.Text;
com.Parameters.Add("#prm_Prod_Name", SqlDbType.VarChar, 80).Value = ProdName.Text;
com.Parameters.Add("#prm_Prod_Cat", SqlDbType.VarChar, 80).Value = ProdCat.Text;
com.Parameters.Add("#prm_Supplier", SqlDbType.VarChar, 80).Value = ProdSub.Text;
com.Parameters.Add("#prm_Cost", SqlDbType.VarChar, 80).Value = ProdCost.Text;
com.Parameters.Add("#prm_Price_1", SqlDbType.VarChar, 80).Value = ProdPrice1.Text;
com.Parameters.Add("#prm_Price_2", SqlDbType.VarChar, 80).Value = ProdPrice2.Text;
com.Parameters.Add("#prm_Price_3", SqlDbType.VarChar, 80).Value = ProdPrice3.Text;
com.ExecuteNonQuery();
}
}
You are missing commas in your values part of your sql. When ever you are doing something like this (big concatination of a string) you should know two things. First, a good way to test is to write out to console, messagebox, ext. You often will see the error right away. The next thing to know is that if you are concatintating to insert into a DB, dont do it. Use parameterized queries. -> How do parameterized queries help against SQL injection?
com.CommandText = ("INSERT INTO Stock (Prod_ID, Prod_Name, Prod_Cat, Supplier, Cost, Price_1, Price_2, Price_3) VALUES ('"+ProdID.Text+"''"+ProdName.Text+"'+'"+ProdCat.Text+"'+'"+ProdSup.Text+"'+'"+ProdCost.Text+"'+'"+ProdPrice1.Text+"'+'"+ProdPrice2.Text+"'+'"+ProdPrice3.Text+"');");
should be something like this
com.CommandText = (#"INSERT INTO Stock (Prod_ID, Prod_Name, Prod_Cat, Supplier, Cost, Price_1, Price_2, Price_3) VALUES ('"+ProdID.Text+"','"+ProdName.Text+"','"+ProdCat.Text+"','"+ProdSup.Text+"','"+ProdCost.Text+"','"+ProdPrice1.Text+"','"+ProdPrice2.Text+"','"+ProdPrice3.Text+"');"));
Checkbox values in a form either result in nothing whatsoever if no boxes are checked, or a comma delimted list of values. The worst thing you can possibly do is to store this list in a single record. That would result in unusable data.
Instead, you want to change not only your code, but possible your database design so that you have a single record for every box that was checked. Remember to account for the scenario where no boxes are checked.
Try :
com.CommandText = ("INSERT INTO Stock (Prod_ID, Prod_Name, Prod_Cat, Supplier, Cost, Price_1, Price_2, Price_3) VALUES ('"+ProdID.Text+"','"+ProdName.Text+"','"+ProdCat.Text+"','"+ProdSup.Text+"','"+ProdCost.Text+"','"+ProdPrice1.Text+"','"+ProdPrice2.Text+"','"+ProdPrice3.Text+"');");
You should Replace
('"+ProdID.Text+"''"+ProdName.Text+"'+'"+ProdCat.Text+"'+'"+ProdSup.Text+"'+'"+ProdCost.Text+"'+'"+ProdPrice1.Text+"'+'"+ProdPrice2.Text+"'+'"+ProdPrice3.Text+"');");`
with
('"+ProdID.Text+"','"+ProdName.Text+"','"+ProdCat.Text+"','"+ProdSup.Text+"','"+ProdCost.Text+"','"+ProdPrice1.Text+"','"+ProdPrice2.Text+"','"+ProdPrice3.Text+"');");`
(VALUES part needs commas for each column)
I am getting error "Input string was not in a correct format" when trying to update a table via the MySQL .NET connector.
The update statement works fine when run via MySQL workbench, but not via code and I am hoping someone can tell me why.
Code is:
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId like '" + amazonOrderId + "%';";
command.ExecuteNonQuery();
I have tried both executing as a non query, and as ExecuteReader(); with no luck.
I am sure this is a simple mistake I am making, but I can't seem to find it for the life of me so any help would be greatly appreciated.
-- Edit --
I have tried the following with no luck:
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId like '#amazonOrderId';";
command.Parameters.AddWithValue("#amazonOrderId", amazonOrderId);
also changed CommandText to:
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where convert(varchar(50), amazonOrderId) like '" + amazonOrderId + "';";
and
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId = '#amazonOrderId';";
and
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId = #amazonOrderId;";
-- Resolution --
My resolution was actually found in another piece of code. After running through the debugger several times it became apparent that a MySqlConnection object was trying to be instantiated twice - with the same name etc. I removed the second instantiation and it has resolved the issue. It's too bad the error was misleading.
I appreciate everyone's responses as I feel they have made my code better and as such I have given +1's to Jon, Steve and Chris. Thanks for the help!
Is the variable amazonOrderId numeric? If so, you can't + a string to it without calling ToString() on the variable.
amazonOrderId.ToString() + "%"
Is amazonOrderId numeric in the database? If so, have you tried convert(varchar)?
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where convert(varchar(50), amazonOrderId) like #OrderID;";
command.Parameters.AddWithValue("#orderID", amazonOrderId + "%");
command.ExecuteNonQuery();
But I'm not sure why you need LIKE with %. Would this also update:
1001 - amazon order id
10010
10011
10012
10013
etc.
Is that what you really want?
If not, then use equal instead, without single quotes.
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId = #OrderId;";
command.Parameters.AddWithValue("#orderID", amazonOrderId);
command.ExecuteNonQuery();
If it IS what you want, then why not use between or greater than?
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId > #OrderId;";
command.Parameters.AddWithValue("#orderID", int.Parse(amazonOrderId.ToString() + "0"));
command.ExecuteNonQuery();
Probably you need to use parameters
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId like #orderID";
command.Parameters.AddWithValue("#orderID", amazonOrderId + "%");
command.ExecuteNonQuery();
This will avoid errors when the parameter value is a string and contains single quotes and prevent SqlInjection attacks.
The code above assumes that amazonOrderID field on the database is a text datatype and amazonOrderID variable is of string type.
However, the error message says that it doesn't recognize the input string.
This leads to the real problem. What kind of column is amazonOrderID in the database table?
It's varchar (or other text type)? or is a numeric datatype?.
If it is a text type then the syntax with like and parameters should work provided that the amazonOrderID var in code is also a string.
If the column is of a numeric datatype then the LIKE has no sense and you should change the query using = operator and also be sure that the amazonOrderID var is of numeric type.
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandText = "update fulfilled_shipments_data set addedCustomer=1 where amazonOrderId = #orderID";
command.Parameters.AddWithValue("#orderID", amazonOrderId);
command.ExecuteNonQuery();
My resolution was actually found in another piece of code. After running through the debugger several times it became apparent that a MySqlConnection object was trying to be instantiated twice - with the same name etc. I removed the second instantiation and it has resolved the issue. It's too bad the error was misleading.
string connectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\\Samples\\login.mdb";
string uname, pass;
uname = textBox1.Text;
pass = textBox2.Text;
OleDbConnection myConnection = new OleDbConnection(connectionString);
myConnection.Open();
string query = "insert into LOGIN_TABLE (UserName, Password) VALUES ('" + textBox1.Text.ToString() + "','" + textBox2.Text.ToString() + "') ";
OleDbCommand myCommand = new OleDbCommand(query, myConnection);
//myCommand.CommandText = query;
OleDbParameter myParm = myCommand.Parameters.Add("#uname", OleDbType.VarChar, 50);
myParm.Value = textBox1.Text;
myParm = myCommand.Parameters.Add("#pass", OleDbType.VarChar, 50);
myParm.Value = textBox2.Text;
myCommand.ExecuteNonQuery();
myConnection.Close();
From the docs for OleDbCommand.Parameters:
The OLE DB .NET Provider does not
support named parameters for passing
parameters to an SQL statement or a
stored procedure called by an
OleDbCommand when CommandType is set
to Text. In this case, the question
mark (?) placeholder must be used.
There's an example on the same page.
However, you're not even using parameters in your SQL query. You're inviting a SQL injection attack by embedding the user input directly into the SQL and then also adding parameters.
Your query should just be:
String query = "insert into LOGIN_TABLE (UserName, Password) VALUES (?, ?)";
It looks like you can still give parameters names, even if they're not used - so just the change above may be enough.
EDIT: Is it possible that UserName or Password are reserved names? Try escaping them - I know in SQL Server it would be [UserName], [Password] but I don't know if that's true in Access. What happens if you try to execute the same SQL in Access, by the way?
The data you are passing as parameters might have single-quotes, ', in it.
Try this textBox2.Text.Replace("'","''") when assigning values to the parameters.
One more thing, it is not necessary to use parameters when handling simple texts and numbers in simple queries.
Your query should be like this.
string query = "insert into LOGIN_TABLE (UserName, Password) VALUES ( #uname, #pass )";
Now after that write your code, and everything will be work for you.
Whenever you are reading value from textbox, use Trim() as textBox.Text.Trim().
Sorry it will be working for SqlConnection.
Thanks