Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 5 years ago.
Improve this question
I am trying to run a database query through c#. I am trying to pass a parameter into my sql statement but I am getting an exception saying invalid near #Agent_ID.
My code is like this
SqlCommand command = new SqlCommand("Select Csr_DISBURSEMENTDATE, Csr_AGENTNUMBER, Csr_TOTCURREARNINGS, Csr_MISCADJUSTMENTS, Csr_YTDTOTALCOMM, Csr_PAYMENTMETHOD From Cm_Opt_Csr_CommStatement_S " +
"inner join Cm_Opt_Con_Contract_S on Con_WritingCode = Csr_AgentNumber" +
"inner join Cm_Opt_Agt_Agent_S on agt_ID = Con_AgentID" +
"where Agt_ID = #AgentID");
command.Parameters.AddWithValue("#AgentID", Con_agentID);
command.Connection = conn;
SqlDataReader rdr = null;
rdr = command.ExecuteReader();
Con_agentID is a guid and in the database table the column which it maps to is a uniqueidentifer. I am stuck at this point. Could someone please point out the mistake in the syntax.
The exception thrown is
System.Data.SqlClient.SqlException: 'Incorrect syntax near 'Agt_ID'.'
You are missing spaces between words when you continue on to next line.
SqlCommand command = new SqlCommand("Select Csr_DISBURSEMENTDATE, Csr_AGENTNUMBER, Csr_TOTCURREARNINGS, Csr_MISCADJUSTMENTS, Csr_YTDTOTALCOMM, Csr_PAYMENTMETHOD From Cm_Opt_Csr_CommStatement_S " +
"inner join Cm_Opt_Con_Contract_S on Con_WritingCode = Csr_AgentNumber " +
"inner join Cm_Opt_Agt_Agent_S on agt_ID = Con_AgentID " +
"where Agt_ID = #AgentID");
command.Parameters.AddWithValue("#AgentID", Con_agentID);
command.Connection = conn;
SqlDataReader rdr = null;
rdr = command.ExecuteReader();
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 5 years ago.
Improve this question
so, I have this code
MySqlConnection connection = new MySqlConnection("Server=localhost;Port=3306; Database=brez-db;Uid=root;Pwd=root;");
try {
connection.Open();
String Query = "SELECT 1 FROM users_table WHERE user_Username='" + usernameTB.Text + "' AND user_Password='" + passwordTB.Password + "'";
MySqlCommand myCommand = new MySqlCommand(Query, connection);
MySqlDataReader myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
String str = myReader.GetString("user_Username").ToString();
MessageBox.Show(str);
}
}
catch(Exception ex) { throw; }
finally { }
but
while(myReader.Read()){}
returns only 1 and 0 . 1 if there is a value inside and 0 if there's nothing.
I've tried many things to get the value but nothing, any suggestion?
I'm writing a wpf C# app
PS: I know that its a good thing to use parameters for security, but I want to make a simple code for now
Remove 1 after the select. Also you should use query for the name of your string,not Query,it looks like it is reserved for something.
Also,you should get your string like this:
string sUsername= myReader["ColumnName"].ToString();
or like this
string sUsername= myReader[0].ToString();
And in the finally you are missing connection.Close();
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 5 years ago.
Improve this question
I have this comamand and that error, in data i have zip code 79000 and table name site
private void Crt_clck_Click(object sender, EventArgs e)
{
{
con.Open();
SqlCommand cmd = con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "SELECT CMC, [Site Name], [Phone Number], Zip_Code FROM site Where Zip_Code'" + Zipcode.Text + "'";
cmd.ExecuteNonQuery();
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
dataGridView1.DataSource = dt;
con.Close();
}
can you help me with this
Change your sql statement to
cmd.CommandText = "SELECT CMC, [Site Name], [Phone Number], Zip_Code FROM site Where Zip_Code = '" + Zipcode.Text + "'";
You are missing the = which is needed for the syntax to be correct.
But you should think about using parameter instead to avoid SQL Injection.
Why do we always prefer using parameters in SQL statements? could be interesting for this, too.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have the following problem performin a query in C#
I have the following method performing a simple query:
public List<DataModel.Vulnerability.VulnerabilitySolution> getVulnerabilitySolutionsList(int vulnId)
{
List<DataModel.Vulnerability.VulnerabilitySolution> result = new List<Vulnerability.VulnerabilitySolution>();
System.Data.Common.DbCommand command;
command = _connection.CreateCommand();
command.Connection = this._connection;
_strSQL = "VS.* FROM VulnerabilityAlertDocument_VulnerabilitySolution VAD_VS"
+ " INNER JOIN VulnerabilitySolution VS ON VAD_VS.VulnerabilitySolutionId = VS.Id"
+ " WHERE VAD_VS.VulnerabilityAlertDocumentId = #VULNID ";
addParameter(command, "#VULNID", vulnId);
command.CommandText = _strSQL;
_dt = fillDataTable(command);
DataModel.Vulnerability.VulnerabilitySolution vulnSolution;
foreach (DataRow row in _dt.Rows)
{
vulnSolution = new DataModel.Vulnerability.VulnerabilitySolution(row);
result.Add(vulnSolution);
}
return result;
}
The problem is that when try to execute this line: _dt = fillDataTable(command); it throw the following exception: Incorrect syntax near '*'
What could be the problem? If I try to execute the same query in SQL Server (replacing the value of the parameter) it work fine
How can I solve this issue?
You need to add the word select before the VS.*
_strSQL = "SELECT VS.* FROM VulnerabilityAlertDocument_VulnerabilitySolution VAD_VS"
+ " INNER JOIN VulnerabilitySolution VS ON VAD_VS.VulnerabilitySolutionId = VS.Id"
+ " WHERE VAD_VS.VulnerabilityAlertDocumentId = #VULNID ";
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm getting a run time error in my program when connecting to a SQL Server CE database.
Can anyone help me, and please don't write the whole code just a line of what needs to be changed to.
Here is my code:
string conString = Properties.Settings.Default.POSdatabaseConnectionString;
using (SqlCeConnection con = new SqlCeConnection(conString))
{
con.Open();
using (SqlCeCommand com = new SqlCeCommand("SELECT * FROM Customer where Customer ID ='" + this.useridtexbox.Text + "' and Name='" + this.nametexbox.Text + "'", con))
{
SqlCeDataReader reader = com.ExecuteReader();
int count = 0;
while (reader.Read())
{
count = count + 1;
}
if (count == 1)
{
MessageBox.Show("You have logged in succesfully");
Homepage homepage = new Homepage();
homepage.Show();
homepage.LabelText = ("Welcome " + reader["name"].ToString());
}
else
{
MessageBox.Show("Username and password is Not correct ...Please try again");
con.Close();
}
Error:
There was an error parsing the query. [ Token line number = 1,Token line offset = 39,Token in error = ID ]
I think the problem with the space in Customer ID,Try this
SqlCeCommand com = new SqlCeCommand("SELECT * FROM Customer where CustomerID ='" + this.useridtexbox.Text + "' and Name='" + this.nametexbox.Text + "'", con))
In your command, do not use string concatenation. That will fail badly and leave you open to SQL injection attacks.
Image what happens if I enter the following text into this.nametexbox.Text:
Joe'; DROP DATABASE; --
You don't want have someone like little Bobby Tables as user.
Use sql parameters.
If you have tables or fields with spaces, you to have a word with your DBA. If you cannot change it, make sure you use the correct syntax:
WHERE [Customer ID] = '12345'
Make sure you CustomerID column have space
Always use parameterized query to avoid SQL Injection
How does SQLParameter prevent SQL Injection
SqlCeCommand com = new SqlCeCommand = "SELECT * FROM Customer where CustomerID=#CustomerID and
name=#name";
con.Parameters.AddWithValue("#CustomerID", valuesTextBox.Text);
con.Parameters.AddWithValue("#name", namwTextBox.Text);
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I have a c# application. I am trying to run a parameterized query, please see below. However I keep getting the error message
"The parameterized query '(#dtStart date)SELECT * FROM
D_CORPACTIONS_MSCI WHERE [date_effe' expects the parameter '#dtStart',
which was not supplied."
I can't see why it is telling me this though?
DateTime dtStart = dtPrev;
using (_connection = new SqlConnection(_connectionString))
{
_connection.Open();
string cmdText = "SELECT * FROM D_CORPACTIONS_MSCI " +
"WHERE [date_effective] >= #dtStart " +
"AND [ca_status] ='" + caStatus + "'";
_command = new SqlCommand(cmdText, _connection);
_command.Parameters.Add("#dtStart", SqlDbType.Date);
Instead of Parameters.Add try Parameters.AddWithValue
_command.Parameters.AddWithValue("#dtStart", dtStart);
Or give a value to your parameter:
_command.Parameters.Add("#dtStart", SqlDbType.Date).Value = dtStart;