// This returns a count of 1, so the table does exist, and I know the user exists becaue I have just added him in...
Int32 tableCount = database.Query(map, "SELECT * FROM sqlite_master WHERE type = 'table' AND name = 'UserTable'", ps).Count;
//but when I try this the count is 0....what am I doing wrong?
Int32 tableCount2 = database.Query(map, "SELECT * FROM sqlite_master WHERE type = 'table' AND name = 'UserTable' AND NameOfUser = '" + personsName + "'", ps).Count;
t
rying to see if the user exists...what am I doing wrong?
SQL Injections
First, I want to say that this code is vulnerable to SQL Injections, .
Why does the query not work?
Because 'NameOfUser' is not a column of sqlite_master, but it is a column of UserTable, I suppose.
sqlite_master consists of the following columns:
type
name
tbl_name
rootpage
sql
How can I make it work?
Int32 tableCount2 = database.Query(map, "SELECT * FROM UserTable WHERE NameOfUser = '" + personsName + "'", ps).Count;
But, as said before, you better use C# SQLite prepared statements to prevent SQL injection, check this: C# SQLite tutorial and search for 'prepared'
Please mark as answer when it worked.
CU
Related
I have a table name tblAWS in which have Name , Code, Bill, Date column. In asp form i used textbox named txtCode. In code columns I have code like 3.1, 3.2, 3.3
When i am writing 3.1 in text it's generating results perfectly. Now I want user to type 1 only and it shows data of 3.1 same as 2 for 3.2.
i used following query kindly tell how to edit
SqlCommand com = new SqlCommand("select * from tblAWS where Code = '" + txtCode.Text + "' and GlbUniqueID='" + Sessions.CustomerCode + "'", con);
First of all, never use SqlCommand with string concatenation which is highly subjects to SQL Injection attacks. Instead use Parameterized Queries.
var query = #"select * from tblAWS
where Code = '3.' + #code
and GlbUniqueID= #customerCode";
SqlCommand com = new SqlCommand(query, conn);
com.Parameters.Add("#code", txtCode.Text);
....
OBJECTIVE:
I am trying to get all the values in the column "test_results" from the table "test" where the studentID is the equal to some variable. I am trying to use the COUNT function in SQL to do this query however I keep getting an eror:
C# CODE:
MySqlCommand cmd = new MySqlCommand("SELECT COUNT(test_results) FROM test WHERE test.StudentID ='" + student + "';");
ERROR:
"cannot find specificed column in results: test_results"
Which is weird because I have no table named "results". Where did I make an error?
Thank You
EDIT:
MySqlCommand cmd = new MySqlCommand("SELECT COUNT(test_results) AS test WHERE studentID = '" + student + "';");
Gets rid of the previous error however I have another error which says:
you have an error in your SQL syntax near 'WHERE studentID = '6" at line 1
Instead of
"SELECT COUNT(test_results) FROM test WHERE test.StudentID ='" + student + "';"
Do aliasing of the column:
"SELECT COUNT(*) as test_results FROM test WHERE test.StudentID ='" + student + "';"
Also, always use parameterized statement. See this post to know more:
Why do we always prefer using parameters in SQL statements?
I am creating tables by c# code from sql server. For that i have created one dynamic table creation function in which i have passed some parameters.One of the parameter is datatable in which i am getting column detail.Everything is working fine but the one minor issue is if there is table in sql with identity(1,1)
i am getting that column's seed value as 0 in c# and hence the data is inserting with id value 0.
For getting table's defintion from database, i am using simple query like
select * from tablename
Tell me if any further details or any extra code needed then i can provide it here.
Ok i have updated my question with how i am filling my datatable.
sqlcmd = new SqlCommand("select * from item.TableName", connSource);
dt = new DataTable();
dt.Load(sqlcmd.ExecuteReader());
Please try below query in C# code and pass tablename to get Seed and Step:
SqlCommand sqlcmd = new SqlCommand("SELECT IDENT_SEED(TABLE_NAME) AS
Seed,IDENT_INCR(TABLE_NAME) AS Increment FROM INFORMATION_SCHEMA.TABLES
WHERE OBJECTPROPERTY(OBJECT_ID(TABLE_NAME), 'TableHasIdentity') = 1 AND
TABLE_TYPE = 'BASE TABLE' AND TABLE_NAME = '" + tableName + "'",
srcConStr);
SqlDataReader readercmd = sqlcmd.ExecuteReader();
while (readercmd.Read())
{
sqlsc += " IDENTITY(" + readercmd["Seed"].ToString() + "," +
readercmd["Increment"].ToString() + ") ";
}
readercmd.Close();
I have a SELECT COUNT(*) statement in C#/ASP.NET and I want to store the result as an int to use as an IF condition. However I am getting an error in visual studio:
Error:System.Data.SqlClient.SqlException (0x80131904): The data types text and varchar are incompatible in the equal to operator. at System.Data.SqlClient.SqlConnection.
It tells me its occurring at the int temp line. The columns I'm accessing in the database table are of text type.
conn.Open();
String checkEmail = "select count(*) from Players where PlayerEmail= '" + txtEmailLogIn.Text + "'";
SqlCommand com = new SqlCommand(checkEmail, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp > 0)
{
}
The problem is in your SQL. You can't use = when comparing TEXT data types, instead you can use LIKE:
String checkEmail = "select count(*) from Players where PlayerEmail LIKE '" + txtEmailLogIn.Text + "'";
Be warned though, that you are opening yourself up to SQL injection attacks when composing SQL strings like this.
DavidG's answer above works. However, if you have the opportunity to change the database schema, you could also fix the error by changing the PlayerEmail column from text to varchar(max). The text data type has been deprecated since at least 2005.
I am trying to allow user to enter details inside a textbox and use that information to run a SQL query. It works when I hard code everything for example:
string query = "SELECT * FROM PERSONS WHERE Name='Samuel'";
When I try to use the textbox instead as follows, it returns an error. I am definitely entering the correct name Samuel in the textbox. I ran a messagebox to check if the textbox is registering the name correctly and yes, it is correct. Please advice if you see anything wrong. Thanks.
name = textbox4.Text;
MessageBox.Show(name);
string query = "SELECT * FROM PERSONS WHERE Name=" + name;
What language? C#?
string query = string.Format("SELECT * FROM PERSONS WHERE Name = '{0}'", SanitizeSql(name));
Or you could be cool and use https://github.com/markrendle/Simple.Data then it would just be
IEnumerable<Person> people = db.Persons.FindAllByName(name);
and this also takes care of SQL injection and is database independent (so you can switch from MSSQL to MySQL to MongoDB...)
You forgot quotes. Change query like below:
string query = "SELECT * FROM PERSONS WHERE Name='" + name + "'";
string query = "SELECT * FROM PERSONS WHERE Name=" + name;
Should be
string query = "Select * From PERSONS Where name = '" + name + "'" ;
Use name=txbox.Text;
dbLog.Open("SELECT * FROM Persons WHERE Name='" & name & "'", dbCon, ADODB.CursorTypeEnum.adOpenDynamic, ADODB.LockTypeEnum.adLockOptimistic)