When I run this query I get the following error:
Syntax error(missing operator) in query expression '[Customer] = 'O'SMILE' and [Product] = 'Casserole(20kg)
Code:
// When print button is executed database operations
// Load data from database based upon select query
String codeQuery = "SELECT count(*) FROM [sheet1$] WHERE [Customer] = '" + lblcustomername.Text + "' and [Product]='" + lblproductname.Text + "'";
OleDbConnection Connection;
Connection = new OleDbConnection(OutputDatabaseConnectionString);
OleDbCommand Command = new OleDbCommand(codeQuery, Connection);
Command.Connection = Connection;
try
{
Connection.Open();
count = (Int32)Command.ExecuteScalar();
Connection.Close();
}
catch (Exception e)
{
MessageBox.Show(e.ToString());
}
The error is because of the unquoted single quote "'" in the name O'SMILE and your use of string concatenation, rather than using a parameterised query. It also indicates that you are vulnerable to SQL injection attacks.
You must use Parameters!
string sql = "SELECT count(*) FROM [sheet1$] WHERE [Customer] = #customer and [Product] = #product";
using (SqlConnection connection = new SqlConnection(/* connection info */))
using (SqlCommand command = new SqlCommand(sql, connection))
{
cmd.Parameters.Add("customer", SqlDbType.VarChar, 100).Value = lblcustomername.Text;
cmd.Parameters.Add("product", SqlDbType.VarChar, 120).Value = lblproductname.Text;
count = (Int32)command.ExecuteScalar();
}
Related
I am beginner in ASP.NET Web Development.Now I want to find sum of marks using SQL sum query. but It finds -1 as sum after query execution. Here is my code:
public double GetTotalScore(string regNo)
{
SqlConnection connection=new SqlConnection(ConnectionString);
string query = "select sum(Score) from SaveResult where RegNo='" + regNo + "' group by RegNo";
SqlCommand command = new SqlCommand(query, connection);
connection.Open();
double total = command.ExecuteNonQuery();
connection.Close();
return total;
}
How could i get sum using sql query?
ExecuteNonQuery returns the number of rows affected.
ExecuteScalar is the method you want. It returns a single-value (a "scalar") to you.
public double GetTotalScore(string regNo)
{
SqlConnection connection=new SqlConnection(ConnectionString);
string query = "select sum(Score) from SaveResult where RegNo='" + regNo + "' group by RegNo";
SqlCommand command = new SqlCommand(query, connection);
connection.Open();
double total = (double)cmd.ExecuteScalar();
connection.Close();
return total;
}
You still have a problem.
string query = "select sum(Score) from SaveResult where RegNo='" + regNo + "' group by RegNo";
You need to change to parameterized queries.
string query = "select sum(Score) from SaveResult where RegNo='#MyParameter' group by RegNo";
SqlParameter param = new SqlParameter();
param.ParameterName = "#MyParameter";
param.Value = "myvalue";
cmd.Parameters.Add(param);
/* now call the ExecuteScalar */
See
http://www.csharp-station.com/Tutorial/AdoDotNet/Lesson06
public string GetTotalScore(string regNo)
{
SqlConnection connection=new SqlConnection(ConnectionString);
string query = "select sum(Score) from SaveResult where RegNo='"+regNo+"' group by RegNo";
SqlCommand command = new SqlCommand(query, connection);
connection.Open();
object total = command.ExecuteScalar();
connection.Close();
return Convert.ToString(total);
}
}
It works,to getting sum using ExecuteScalar.
I think I'm making a fairly amateur mistake somewhere here, but I can't get SQL Parameters to reliably work in C#. Consider the following code:
protected string[] Query(string dataToFind, string tableName, string fieldToCheck, string fieldToReturn)
{
SqlConnection connection = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
SqlDataReader dataReader = null;
SqlCommand command = connection.CreateCommand();
command.CommandText = "SELECT " + fieldToReturn + " FROM " + tableName + " WHERE " + fieldToCheck " = '" + dataToFind "'";
try
{
connection.Open();
dataReader = command.ExecuteReader();
etc...
This executes as you would expect, returning the fieldToReturn from the table tableName. However, I understand that this is vulnerably to SQL injections, and that the correct way to avoid this is to use parameters. So I change my code to the following:
protected string[] Query(string dataToFind, string tableName, string fieldToCheck, string fieldToReturn)
{
SqlConnection connection = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
SqlParameter[] parameters = new SqlParameter[4];
parameters[0] = new SqlParameter("#dataToFind", dataToFind);
parameters[1] = new SqlParameter("#name", tableName);
parameters[2] = new SqlParameter("#fieldToCheck", fieldToCheck);
parameters[3] = new SqlParameter("#fieldToReturn", fieldToReturn);
SqlDataReader dataReader = null;
SqlCommand command = connection.CreateCommand();
command.Parameters.AddRange(parameters);
command.CommandText = "SELECT #fieldToReturn FROM #tableName WHERE #fieldToCheck = #dataToReturn";
try
{
connection.Open();
dataReader = command.ExecuteReader();
etc...
If I have 3 matches in my database, the first code example returns 3 matches. The second code returns 0 results?!
Am I being stupid and missing something obvious?
Your parameters are:
#dataToFind
#name
#fieldToCheck
#fieldToReturn
Your Query's CommandText has:
#fieldToReturn
#tableName
#fieldToCheck
#dataToReturn
These do not match. They must match in order to be properly applied.
I'm having trouble with a SQL query:
using (SqlConnection conn = new SqlConnection("user id=user;" + "password=pass;" + "server=server;" + "database=db;"))
{
using (SqlCommand comm = new SqlCommand(#"SELECT COUNT(*) FROM [CompaniesDB].[dbo].[Companies] WHERE BolagsID = '" + BolagsID + "'"))
{
conn.Open();
comm.Connection = conn;
MessageBox.Show("TEST: {0}", Convert.ToString((int)comm.ExecuteScalar()));
}
}
I'm expecting to get an int in the message box conveying the number of rows that BolagsID occurs in. But I get 0 every time. I've tried the query in SQL Server Management Studio and it works fine there. What am I doing wrong/missing?
EDIT:
This works, but now I don't know how to parameterize the values:
string query = #"SELECT COUNT(*) FROM [CompaniesDB].[dbo].[Companies] WHERE BolagsID = " + BolagsID;
ADODB.Connection conn2 = new ADODB.Connection();
ADODB.Recordset rs = new ADODB.Recordset();
string strConn = "Provider=...;Data Source=...;Database=...;User Id=...;Password=...";
conn2.Open(strConn);
rs.CursorType = ADODB.CursorTypeEnum.adOpenStatic;
rs.Open(query, conn2);
if (rs.Fields[0].Value > 0)
...stuff...
Like others are saying, parameters are a good idea. Here's something to get you started:
string query = #"SELECT Count(*) FROM [CompaniesDB].[dbo].[Companies] WHERE BolagsID = #BolagsID";
using (SqlCommand cmd = new SqlCommand(query, conn))
{
cmd.Parameters.Add("#BolagsID", SqlDbType.NVarChar).Value = BolagsID;
conn.Open();
MessageBox.Show("TEST: {0}", Convert.ToString((int)cmd.ExecuteScalar()));
conn.Close();
}
Basically a 0 is returned if there is an error in your query, so even though SSMS is smart enough to resolve it, the sql command isn't.
A quick way to make sure that everything else is working okay is to change the query to just "SELECT Count(*) FROM [CompaniesDB].[dbo].[Companies]". If that doesn't work then the issue could lie with your database connection (permissions?) or something else.
Try assigning SELECT COUNT(*) FROM [CompaniesDB].[dbo].[Companies] WHERE BolagsID = '" + BolagsID + "'" to a string str as follows
string str =#"SELECT COUNT(*) FROM [CompaniesDB].[dbo].[Companies] WHERE BolagsID = '" + BolagsID + "'";
using (SqlConnection conn = new SqlConnection("user id=user;" + "password=pass;" + "server=server;" + "database=db;"))
{
using (SqlCommand comm = new SqlCommand(str))
{
conn.Open();
comm.Connection = conn;
MessageBox.Show("TEST: {0}", Convert.ToString((int)comm.ExecuteScalar()));
}
}
Then do a watch/quickwatch on str's value to get the exact query that is getting run and then run the same query in Sql Managment studio. If you get 0 in Sql Management Studio as well, then the problem is that the data is just not there.
I tried a lot of stuff before trying out a whole different approach. This gives me the result I want:
string query = #"SELECT COUNT(*) FROM [CompaniesDB].[dbo].[Companies] WHERE BolagsID = " + BolagsID;
ADODB.Connection conn2 = new ADODB.Connection();
ADODB.Recordset rs = new ADODB.Recordset();
string strConn = "Provider=...;Data Source=...;Database=...;User Id=...;Password=...";
conn2.Open(strConn);
rs.CursorType = ADODB.CursorTypeEnum.adOpenStatic;
rs.Open(query, conn2);
if (rs.Fields[0].Value > 0)
...stuff...
Note that both connection and record set are closed outside of this code snippet.
I am trying to query SQL Server database from C#
I have class
Class_A
{
public fetch((string name, string last_name))
{
SqlConnection conn = null;
double val = 0;
string server = "123.444.22.sss";
string dbase = "xyz";
string userid = "cnsk";
string password = "xxxxxx";
string connection = "Data Source=" + server + ";Initial Catalog=" + dbase
+ ";User ID=" + userid + ";Password=" + password;
conn = new SqlConnection(connection);
try
{
conn.Open();
}
catch(Exception)
{
string e = "Database error contact administrator";
MessageBox.Show(e, "Error!");
}
try
{
SqlDataReader myReader = null;
SqlCommand myCommand = new SqlCommand("select * from table where NAME"
+ " = name and LAST_NAME = last_name", conn);
myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
//do something
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
return (0);
}
}
There is a problem in my query.
When I give normal query "select * from table" --- this gives me perfect results.
But when I try to give where condition it gives me error. Any suggestions, to fix this?
Thanks.
Use a parameterised query, and more usings, and stop with the generic exceptions.
something like this where somName and SomeLastName are the values that you wan t to query for.
String sql = "Select * From SomeTable Where [Name] = #Name and [Last_Name] = #LastName";
try
{
using(SqlConnection conn = new SqlConnection(connection))
{
conn.Open();
using( SqlCommand command = new SqlCommand(sql,conn))
{
command.Parameters.Add(new SqlParameter("Name", DbType.String,someName));
command.Parameters.Add(new SqlParameter("LastName", DbType.String,someLastName));
using(IDataReader myReader = command.ExecuteReader())
{
while (myReader.Read())
{
//do something
}
}
}
}
return 0; // Huh?
}
catch(SqlException sex)
{
Console.Writeline(String.Format("Error - {0}\r\n{1}",sex.Message, sex.StackTace))
}
NB not checked might be a silly in it
⚠️ WARNING This answer contains a SQL injection security vulnerability. Do not use it. Consider using a parameterized query instead, as described in some of the other answers to this question (e.g. Tony Hopkinson's answer).
Try adding quotes around the values in the where clause like this:
select * from table where NAME = 'name' and LAST_NAME = 'last_name'
In your case where you are using variables you need to add the quotes and then concatenate the values of the variables into the string. Or you could use String.Format like this:
var sql = String.Format("select * from table where [NAME] = '{0}' and LAST_NAME = '{1}'", name, last_name);
SqlCommand myCommand = new SqlCommand(sql);
Try
select * from table where NAME = 'name' and LAST_NAME = 'last_name'
instead of
select * from table where NAME = name and LAST_NAME = last_name
Edit:
If name and last_name are your parameters then try this:
SqlCommand myCommand = new SqlCommand("select * from table where NAME = #name and LAST_NAME = #last_name", conn);
myCommand.Parameters.AddWithValue( "#name", name );
myCommand.Parameters.AddWithValue( "#last_name", last_name );
Using parameterized commands means that you are invulnerable to a potential huge security hole - sql injection which is possible when command text is manually concatenated.
The text needs to be quoted as others have said--but that's not really the right answer here. Even without malice you're going to run into trouble with the Irish here, look what happens when you try to look for Mr. O'Neill. Use parameters instead.
I am trying to write to a database from c#:
using (SqlConnection connection = new SqlConnection())
{
try
{
connection.ConnectionString = "Data Source=nesoi;Initial Catalog=SalesDWH;Integrated Security=True";
// This creates an object with which you can execute sql
using (SqlCommand command = connection.CreateCommand())
{
command.CommandText = #"INSERT INTO [SalesDWH].[dbo].[PendingSpecimens]
([Date Entered]
,[Specimen ID]
,[Test]
,[Agency])
VALUES (#DateEntered,#SpecimenID,#Test,#Agency)";
command.CommandType = CommandType.Text;
// This is how you add a parameter to your sql command
// This way you are protected against SQL injection attacks
SqlParameter DateEntered = command.CreateParameter();
DateEntered.ParameterName = "#DateEntered";
DateEntered.Value = fields[0];
command.Parameters.Add(DateEntered);
SqlParameter SpecimenID = command.CreateParameter();
SpecimenID.ParameterName = "#SpecimenID";
SpecimenID.Value = fields[1];
command.Parameters.Add(SpecimenID);
SqlParameter Test = command.CreateParameter();
Test.ParameterName = "#Test";
Test.Value = fields[2];
command.Parameters.Add(Test);
SqlParameter Agency = command.CreateParameter();
Agency.ParameterName = "#Agency";
Agency.Value = fields[4];
command.Parameters.Add(Agency);
connection.Open();
int someint=command.ExecuteNonQuery();
}
}
catch(Exception ee)
{
textBox1.Text = ee.ToString();
}
In addition to no errors being returned, it has not written anything either!
What am I doing wrong?
I suspect that this line:
command.ExecuteNonQuery();
is not working.
Mut I do not understand why
please help!
Try this:
using (SqlConnection connection = new SqlConnection("Data Source=nesoi;Initial Catalog=SalesDWH;Integrated Security=True"))
{
string queryString = "INSERT INTO SalesDWH.dbo.PendingSpecimens([Date Entered], [Specimen ID], Test, Agency) VALUES (" + fields[0] + ", " + fields[1] + ", " + fields[2] + ", " + fields[4] + ")";
SqlCommand command = new SqlCommand(queryString, connection);
command.Connection.Open();
command.ExecuteNonQuery();
}
Maybe you are missing the parentheses in the values clause?