Could anyone point out what I'm doing wrong, I'm getting an error back in SQL saying Syntax error near '' at line 1
I have tried everything and can't seem to get rid of it ?
This is the code I'm Using -
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
MySqlConnection conn;
MySqlConnection conn1;
bool connection = false;
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
this.toolStripStatusLabel1.Text = "Initialising";
db_connect();
}
private void db_connect()
{
string mydbconn = "server=localhost;user id=root;password=lap;database=test;";
string mydbconn1 = "server=localhost;user id=root;password=lap;database=test;";
try
{
conn = new MySqlConnection(mydbconn);
conn1 = new MySqlConnection(mydbconn1);
conn.Open();
conn1.Open();
this.toolStripStatusLabel1.Text = "Connected";
connection = true;
if (connection == true)
{
read_data();
}
}
catch (Exception ex)
{
this.toolStripStatusLabel1.Text = "WRONG";
connection = false;
}
}
private void read_data()
{
string sql = "SELECT first_name, last_name FROM dan";
MySqlCommand cmd = new MySqlCommand(sql, conn);
MySqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
string newsql = "REPLACE INTO dan1 (first_name, last_name) values";
newsql += "(";
for (int i = 0; i < 2; i++)
{
newsql += reader.GetString(i);
}
// System.Console.WriteLine(newsql);
int res = 0;
MySqlCommand cmd1 = new MySqlCommand(newsql, conn1);
try
{
res = cmd1.ExecuteNonQuery();
this.richTextBox1.Text = "copying";
}
catch (MySqlException ex)
{
this.richTextBox1.Text = ex.Message;
}
}
}
}
}
You are creating a query that looks like this:
REPLACE INTO dan1 (first_name, last_name) values(JohnDoe
when it should look like this;
REPLACE INTO dan1 (first_name, last_name) values ('John', 'Doe')
To create SQL dynamically like that you need to escape all the string data properly, and the way that it's done correctly depends on the database you are using. For MySQL it would be:
string newsql = "REPLACE INTO dan1 (first_name, last_name) values (";
bool first = true;
for (int i = 0; i < 2; i++) {
if (first) {
first = false;
} else {
newsql += ",";
}
newsql += "'" + reader.GetString(i).Replace("\\", "\\\\").Replace("'", "\\'") + "'";
}
newsql += ")";
However, you would rather use a parameterised query instead, then you don't have to worry about formatting the query and escaping characters correctly:
string newsql = "REPLACE INTO dan1 (first_name, last_name) values (#FirstName, #LastName)";
MySqlCommand cmd1 = new MySqlCommand(newsql, conn1);
cmd1.Parameters.Add("#FirstName", reader.GetString(0));
cmd1.Parameters.Add("#LastName", reader.GetString(1));
At a minimum I think that your query might be missing a closing paren. Your code seems to generate queries that look like this:
REPLACE INTO dan1 (first_name, last_name) values (first_name last_name
which is missing the closing ). I also do not see commas being added to separate the items in the values clause, and probably the items themselves are not quoted. Try this:
string newsql = "REPLACE INTO dan1 (first_name, last_name) values";
newsql += "(";
for (int i = 0; i < 2; i++)
{
newsql += reader.GetString(i);
}
newsql += ")";
// System.Console.WriteLine(newsql);
Related
I'm working on an app with an Access 2010 db connection and I keep receiving OleDB error 80004005 and I can't figure out why.
const String conn = #"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=E:\OneDrive\Dropbox\SharpDevelop Projects\electronics inventory\electronics.mdb";
const String qCont = "select Section, Number, Stock from Container where Component = #IdComp order by Section, Number";
int oldParamSubcat = 0;
OleDbConnection connection = new OleDbConnection(conn);
void GrdCompCellClick(object sender, DataGridViewCellEventArgs e)
{
String IdComp = grdComp[grdComp.Columns["ID"].Index, grdComp.CurrentCell.RowIndex].Value.ToString();
try
{
grdSubcat.DataSource = null;
grdSubcat.Rows.Clear();
grdSubcat.Columns.Clear();
connection.Open();
OleDbCommand cmdDetail = new OleDbCommand();
cmdDetail.Connection = connection;
cmdDetail.CommandText = qDetail;
cmdDetail.Parameters.AddWithValue("#IdComp", Convert.ToInt32(IdComp));
txtDetails.Text = "";
OleDbDataReader rdDetail = cmdDetail.ExecuteReader();
rdDetail.Read();
txtDetails.Text = rdDetail["Component"].ToString() + "\r\n";
txtDetails.Text += rdDetail["Parameter"].ToString() + ": ";
txtDetails.Text += rdDetail["Val"].ToString() + "\r\n";
while(rdDetail.Read())
{
txtDetails.Text += rdDetail["Parameter"].ToString() + ": ";
txtDetails.Text += rdDetail["Val"].ToString() + "\r\n";
}
rdDetail.Close();
connection.Close();
connection.Open();
OleDbCommand cmdCode = new OleDbCommand();
cmdCode.Connection = connection;
cmdCode.CommandText = qCode;
cmdCode.Parameters.AddWithValue("#IdComp", Convert.ToInt32(IdComp));
txtDetails.Text += "\r\n";
OleDbDataReader rdCode = cmdCode.ExecuteReader();
while(rdCode.Read())
{
txtDetails.Text += rdCode["Seller"].ToString() + ": ";
txtDetails.Text += rdCode["Code"].ToString() + "\r\n";
}
rdCode.Close();
connection.Close();
connection.Open();
OleDbCommand cmdCont = new OleDbCommand();
cmdCont.Connection = connection;
cmdCont.CommandText = qCont;
cmdCont.Parameters.AddWithValue("#IdComp", Convert.ToInt32(IdComp));
txtDetails.Text += "\r\n";
OleDbDataReader rdCont = cmdCont.ExecuteReader(); ////////// here is where i receive the error ///////////////
while(rdCont.Read())
{
txtDetails.Text += "Container: ";
txtDetails.Text += rdCont["Section"].ToString() + "-";
txtDetails.Text += rdCont["Number"].ToString() + " = ";
txtDetails.Text += rdCont["Stock"].ToString() + " units\r\n";
}
rdCont.Close();
connection.Close();
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
}
The rest of the code works perfectly, I only get the error on cmdCont.ExecuteReader();
The error message
If i execute the query in Access, it runs ok.
Any ideas are very much welcome.
Thanks.
The words Section, Number and Container are listed between the reserved keyword for MS-Access. You shouldn't use them in your table schema but if you really can't change these names to something different then you need to put them between square brackets
const String qCont = #"select [Section], [Number], Stock from [Container]
where Component = #IdComp order by [Section], [Number]";
Also you should use a more robust approach to your disposable objects like the connection, the commands and the readers. Try to add the using statement to your code in this way:
try
{
....
using(OleDbConnection connection = new OleDbConnection(......))
{
connection.Open();
....
string cmdText = "yourdetailquery";
using(OleDbCommand cmdDetail = new OleDbCommand(cmdText, connection))
{
.... // parameters
using(OleDbDataReader rdDetail = cmdDetail.ExecuteReader())
{
... read detail data ....
}
}
// here the rdDetail is closed and disposed,
// you can start a new reader without closing the connection
cmdText = "yourcodequery";
using(OleDbCommand cmdCode = new OleDbCommand(cmdText, connection))
{
.... parameters
using(OleDbReader rdCode = cmdCode.ExecuteReader())
{
// read code data...
}
}
... other command+reader
}
// Here the connection is closed and disposed
}
catch(Exception ex)
{
// any error goes here with the connection closed
}
Here is my program:
What I want to do: when I enter 1 in ProductID textbox, I want category, name and price for ProductID = 1 to be filled into their textboxes.
I have tried to read from product table where ProductID = ProductIDTB.Text and then changed the other textboxes to show the data inside the other columns
Here is my code when ProductID textbox is changed:
protected void ProductIDTB_TextChanged(object sender, EventArgs e)
{
string connectionString1;
SqlConnection cnn1;
connectionString1 = "Data Source=(localdb)\\MSSQLLocalDB;Initial Catalog=Greenwich_Butchers;Integrated Security=True;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;ApplicationIntent=ReadWrite;MultiSubnetFailover=False";
cnn1 = new SqlConnection(connectionString1);
string selectSql1 = "SELECT * FROM [Product] WHERE ProductID = ('" + Convert.ToInt32(ProductIDTB.Text) + "') ";
SqlCommand com1 = new SqlCommand(selectSql1, cnn1);
try
{
cnn1.Open();
using (SqlDataReader read = com1.ExecuteReader())
{
while (read.Read())
{
String productcategory = Convert.ToString(read["ProductCategory"]);
ProductCategoryTB.Text = productcategory;
String productname = Convert.ToString(read["ProductName"]);
ProductNameTB.Text = productname;
String productprice = Convert.ToString(read["ProductPrice"]);
ProdPriceTB.Text = productprice;
}
}
}
catch (Exception ex)
{
Response.Write("error" + ex.ToString());
}
finally
{
cnn1.Close();
}
}
Work-around: as textbox_textchanged event was not working, I decided to add a button which finds product using the ID:
protected void FindProductBtn_Click(object sender, EventArgs e)
{
string connectionString1;
SqlConnection cnn1;
connectionString1 = "Data Source=(localdb)\\MSSQLLocalDB;Initial Catalog=Greenwich_Butchers;Integrated Security=True;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;ApplicationIntent=ReadWrite;MultiSubnetFailover=False";
cnn1 = new SqlConnection(connectionString1);
string selectSql1 = "SELECT * FROM [Product] WHERE ProductID = (" + Convert.ToInt32(ProductIDTB.Text) + ") ";
SqlCommand com1 = new SqlCommand(selectSql1, cnn1);
try
{
cnn1.Open();
using (SqlDataReader read = com1.ExecuteReader())
{
while (read.Read())
{
String productcategory = Convert.ToString(read["ProductCategory"]);
ProductCategoryTB.Text = productcategory;
String productname = Convert.ToString(read["ProductName"]);
ProductNameTB.Text = productname;
String productprice = Convert.ToString(read["ProductPrice"]);
ProdPriceTB.Text = productprice;
}
}
}
catch (Exception ex)
{
Response.Write("error" + ex.ToString());
}
finally
{
cnn1.Close();
ProductCategoryTB.ReadOnly = true;
ProductNameTB.ReadOnly = true;
ProdPriceTB.ReadOnly = true;
}
}
Set the textbox's AutoPostBack attribute to true
More info: https://meeraacademy.com/textbox-autopostback-and-textchanged-event-asp-net/
<asp:TextBox ID="ProductIDTB" runat="server" AutoPostBack="True"
OnTextChanged="ProductIDTB_TextChanged"></asp:TextBox>
By the way, use SqlParameter to use parameterized query. Aside from sql-injection attack prevention, parameterized query can help the RDBMS store and re-use the execution plan of similar queries, to ensure better performance. See: https://dba.stackexchange.com/questions/123978/can-sp-executesql-be-configured-used-by-default
string selectSql1 = "SELECT * FROM [Product] WHERE ProductID = #productIdFilter";
int productIdFilter = Convert.ToInt32(ProductIDTB.Text);
SqlCommand com1 = new SqlCommand(selectSql1, cnn1);
com1.Parameters.AddWithValue("productIdFilter", productIdFilter);
OnTextChanged Event in Code Behind
protected void txtProductId_TextChanged(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["_connect"].ToString());
int ProductId = Convert.ToInt32(txtProductId.Text);
SqlCommand com = con.CreateCommand();
com.CommandText = "sp_ProductGetData";
com.CommandType = CommandType.StoredProcedure;
com.Parameters.AddWithValue("#Mode", 1);
com.Parameters.AddWithValue("#ProductId", ProductId);
con.Open();
SqlDataReader dr = com.ExecuteReader();
if (dr.HasRows)
{
dr.Read();
txtProductCategory.Text = Convert.ToString(dr["ProductCategory"]);
txtProductName.Text = Convert.ToString(dr["ProductName"]);
txtPrice.Text = Convert.ToString(dr["Price"]);
}
else
{
ScriptManager.RegisterClientScriptBlock((Page)(HttpContext.Current.Handler), typeof(Page), "alert", "javascript:alert('" + Convert.ToString(("No Record Found with Prodcut Id: "+ProductId)) + "');", true);
return;
}
con.Close();
}
Stored Procedure
CREATE PROCEDURE sp_ProductGetData
(
#Mode INT=NULL,
#ProductId INT=NULL
)
AS
BEGIN
IF(#Mode=1)
BEGIN
SELECT ProductCategory,ProductName,Price FROM Product
WHERE ProductId=#ProductId
END
END
I have a datagridview which is created by various action and user's manipulation of data. I want to insert all the data of the gridview to the database at once, I know I could try a code similar to this:
private void btnSaveProducts_Click(object sender, EventArgs e)
{
SqlConnection connection = DBConnectivity.getConnection();
if (connection != null)
{
try
{
for (int i = 0; i < dGvProducts.Rows.Count; i++)
{
string query = "INSERT INTO product (productName) " + "VALUES (#productName)";
SqlCommand command = DBConnectivity.getCommandForQuery(query, connection);
int result = command.ExecuteNonQuery();
Console.WriteLine(result + "");
}
// string query = "Insert into units(name,packing)values('" + txtNameUnit.Text + "' , '" + txtPackingUnit.Text + "')";
// SqlCommand command = DBConnectivity.getCommandForQuery(query, connection);
// int result = command.ExecuteNonQuery();
// Console.WriteLine(result + "");
}
catch (Exception ex)
{
}
finally
{
connection.Close();
}
}
}
As is, the code tries to execute a parameterized query but never assigns a value to the parameter. Even if you do, you never extract the cell values.
The code should look like this:
var query = "INSERT INTO product (productName) VALUES (#productName)";
using var(connection = DBConnectivity.getConnection())
using(var command = new SqlCommand(query, connection))
{
var productParam=command.Parameters.Add("#productName",SqlDbType.NVarChar,50);
connection.Open();
for (int i = 0; i < dGvProducts.Rows.Count; i++)
{
var productName=dGvProducts.Rows[i].Cells[somecolumn].Value;
productParam.Value=productName;
int result = command.ExecuteNonQuery();
Console.WriteLine(result);
}
}
My code looks like this:
var settings = ConfigurationManager.ConnectionStrings["InsurableRiskDB"];
string server = ConfigurationManager.AppSettings["Server"];
string cs = String.Format(ConfigurationManager.AppSettings[settings.ProviderName], ConfigurationManager.AppSettings[server]);
SqlConnection connection = new SqlConnection(cs);
string PolicyKeys = "";
for (int i = 0; i < keys.Count(); i++)
{
if (i == keys.Count() - 1)
PolicyKeys += keys[i] ;
else
PolicyKeys += keys[i] + ", ";
}
//have to change the code to pull the user's NBK.
string user = "'DATALOAD'";
const string updateQuery = #"UPDATE [InsurableRisk].[dbo].[Policy]
SET [InsuranceCarrierKey] = #ToKey
,[AuditUser] = #User
,[AuditDate] = SYSDATETIME()
WHERE PolicyKey in (#PolicyKeys) and InsuranceCarrierKey = #FromKey";
using (connection)
{
using (SqlCommand dataCommand = new SqlCommand(updateQuery, connection))
{
dataCommand.Parameters.AddWithValue("#ToKey", toKey);
dataCommand.Parameters.AddWithValue("#User", user);
dataCommand.Parameters.AddWithValue("#PolicyKeys", PolicyKeys);
dataCommand.Parameters.AddWithValue("#FromKey", fromKey);
connection.Open();
dataCommand.ExecuteNonQuery();
connection.Close();
}
}
res = true;
}
catch (Exception ex)
{
MessageBox.Show("There is an error while try in save the changes " + ex.Message, "Error Message", MessageBoxButtons.OKCancel);
res = false;
}
return res;
Now, when i run this code, it says query is unable to execute. It throws and exception stating, it is unable to convert NVarchar to int for variable #PolicyKeys
Any suggestions as to what i am missing in this code?
Typically, in SQL you'd write an IN statement like this:
WHERE SomeColumn IN ('A', 'B', 'C')
What you're doing is the equivalent of this in SQL (which won't work):
WHERE SomeColumn IN ('A, B, C')
Change your SQL statement accordingly: (modified from this answer)
WHERE PolicyKey in ({0})
And then add your parameters in a loop, like this:
var parameters = new string[keys.Count()];
for (int i = 0; i < keys.Count(); i++)
{
parameters[i] = string.Format("#Key{0}", i);
cmd.Parameters.AddWithValue(parameters[i], keys[i]);
}
cmd.CommandText = string.Format(updateQuery, string.Join(", ", parameters));
i face the following problem::
i wanna to escape the following character ' single quote:
it works when making this test through :the built in method Replace("'","''");
as this code below :(just a test) it works
protected void btn_insert_Click(object sender, EventArgs e)
{
lbl.Text = string.Empty;
SqlConnection mycon = new SqlConnection(Constr);`
SqlCommand mycommand = new SqlCommand("INSERT INTO details VALUES('" + txt.Text.Replace("'", "''") + "','" + txt.Text.Replace("'", "''")+ "')", mycon);
mycon.Open();
int affectedRows = 0;
affectedRows = mycommand.ExecuteNonQuery();
mycon.Close();
}
but i wanna to generalize my solution to work all over the application through my Insert method in the data access layer:
public static int InsertEntity(string tblName, Dictionary<string, string> dtParams)
{
int Result = -1;
DBConnection DAL_Helper = new DBConnection("");
string[] field_names = new string[dtParams.Count];
dtParams.Keys.CopyTo(field_names, 0);
string[] field_values = new string[dtParams.Count];
dtParams.Values.CopyTo(field_values, 0);
for (int i = 0; i < field_values.Length; i++)
{
field_values[i].Replace("'", "''");
}
string insertCmd = "INSERT INTO " + tblName + " (" + string.Join(",", field_names) + ") values ('" + string.Join("','", field_values) + "')";
Result = DAL_Helper.Execute_NonQuery(insertCmd);
return Result;
}
this not escaping the ' single quote charecter,although i use Replace("'","''");
what is the problem ,,how to fix this problem?
I strongly recommend you use Command Parameters using SqlCommand.Parameters collection instead of your approach.
Problem is here :
for (int i = 0; i < field_values.Length; i++)
{
field_values[i].Replace("'", "''");
}
Replace it with :
for (int i = 0; i < field_values.Length; i++)
{
field_values[i] = field_values[i].Replace("'", "''");
}
Building on decyclone's answer. CommandParameters are the way to go here, you are just re-inventing it with your own code.
I have found a very nice clear example here for supplying params to a SQL statement.
http://dotnetperls.com/sqlparameter
using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE #Name", connection))
{
string dogName = "Mc'Dougal";
//
// Add new SqlParameter to the command.
//
command.Parameters.Add(new SqlParameter("Name", dogName));
//
// Read in the SELECT results.
//
SqlDataReader reader = command.ExecuteReader();
}