Getting SQLException with this "super useful" exception message (Incorrect syntax near ','.) , was wondering if anyone could see anything wrong with the syntax at a glace?
It is code based off of the example that can be found at http://www.jarloo.com/c-bulk-upsert-to-sql-server-tutorial/
private void importToolStripMenuItem_Click(object sender, EventArgs e)
{
DataTable import = new DataTable();
DialogResult result = this.importFileDialog.ShowDialog();
if (DialogResult.OK == result)
{
Stream importStream = this.importFileDialog.OpenFile();
import.ReadXml(importStream);
importStream.Close();
string tmpTable = "select top 0 * into #import from tblJob;";
using (SqlConnection con = new SqlConnection(CONSTRING))
{
con.Open();
SqlCommand cmd = new SqlCommand(tmpTable, con);
cmd.ExecuteNonQuery();
SqlBulkCopyOptions options = SqlBulkCopyOptions.KeepIdentity;
using (SqlBulkCopy bulk = new SqlBulkCopy(con))
{
bulk.DestinationTableName = "#import";
bulk.WriteToServer(import);
}
//http://www.jarloo.com/c-bulk-upsert-to-sql-server-tutorial/
//Now use the merge command to upsert from the temp table to the production table
string mergeSql = "merge into tblJob as Target " +
"using #import as Source " +
"on " +
"Target.[Location]=Source.[Location]," +
"Target.[Schedule]=Source.[Schedule] " +
"when matched then " +
"update set Target.[Complete]=Source.[Complete]," +
"Target.[Cost]=Source.[Cost]," +
"Target.[Description]=Source.[Description]";
//"when not matched then " +
//"insert (Symbol,Price,Timestamp) values (Source.Symbol,Source.Price,Source.Timestamp)" +
//";";
cmd.CommandText = mergeSql;
cmd.ExecuteNonQuery();
//Clean up the temp table
cmd.CommandText = "drop table #import";
cmd.ExecuteNonQuery();
}
dgvJobs.DataSource = getData("select * from tblJob");
If you want to have multiple Join criteria in your MERGE, you need to use the AND keyword (not a comma ,, as you're using now).
Instead of
merge into tblJob as Target
using #import as Source on Target.[Location]=Source.[Location], Target.[Schedule]=Source.[Schedule]
that you're using, use this instead:
MERGE INTO dbo.tblJob AS Target
USING #import AS Source ON Target.[Location] = Source.[Location]
AND Target.[Schedule] = Source.[Schedule]
This is true for any join condition, also for INNER JOIN and LEFT OUTER JOIN or any other join type, too.
Related
I was working on VB.NET and am now switching to C#. I was using the following code to use table as variable from combo box to fill a DataGrid:
Dim strTAB as a String
dtTAB1 = New DataTable
strTAB = cboDTA_TBL.Text
adpPRJ = New SqlDataAdapter("Select * from """ & strTAB & """", conPRJ_NET)
'conPRJ_NET is connection to connect MsSQL Database on server.
adpPRJ.Fill(dtTAB1)
dgFIN_TAB.DataSource = dtTAB1
I am looking for the C# equivalent of """ & strTAB & """.
This code works perfectly in vb.net, no errors.
Can anyone help?
As mentioned, this is a bad design, due to SQL Injection, but here's your answer :
var strTAB = "tableName";
string myString = $"Select * from {strTAB}";
Although, normally you would never concatenate strings to build an Sql statement, you do not need to be concerned about Sql Injection if your combo box DropDownStyle is set to DropDownList. This is essentially "limit to list" but it is NOT the default setting.
The using statements ensure that your database objects are closed and disposed.
I not sure what the the double quotes around the table name are supposed to do but in Sql Server the identifier delimiters are square brackets. ( [ ] )
private void button1_Click(object sender, EventArgs e)
{
string query = "Select * From [" + cboDTA_TBL.Text + "];";
DataTable dtTAB1 = new DataTable();
using (SqlConnection conPRJ_NET = new SqlConnection("Your connection string"))
{
using (SqlDataAdapter adpPRJ = new SqlDataAdapter(query, conPRJ_NET))
{
adpPRJ.Fill(dtTAB1);
}
}
dgFIN_TAB.DataSource = dtTAB1;
}
I use a MySQL command like this:
string db_name= "test";
string db_table = "table";
command.CommandText = "SELECT * FROM " + db_name+ "." + db_table + " WHERE ID = "ID";";
// sometimes you need the: ' around the string-variables
command.CommandText = "SELECT * FROM '" + db_name+ "." + db_table + "' WHERE ID = "ID";";
Hello i'm using linq and sql to create a windows serrvice that updates some rows if there was a change in the table in the last 5 minutes so far this is what i have:
using System;
using System.Data.SqlClient;
using System.Linq;
namespace Prueba
{
internal static class Program
{
private static void Main()
{
int tienda = 9;
var conex = new DataClasses1DataContext();
try
{
var source =
new SqlConnection(
"Server=LAPTOP-VCD9V9KH\\SQLEXPRESS;Database=backoffice;User Id=sa; Password=root;");
var destination =
new SqlConnection(
"Server=LAPTOP-VCD9V9KH\\SQLEXPRESS;Database=Corporativo_PRB;User Id=sa; Password=root;");
source.Open();
destination.Open();
source.CreateCommand();
var infoExistenciases = conex.Info_Existencias.Where(x => x.FechAct > DateTime.Now.AddMinutes(-5));
foreach (var x in infoExistenciases)
{
var cmd2 = new SqlCommand(
"update Info_Corp_Existencias set Existencia =" + x.Existencia + " where sku ='" + x.SKU + "'" +
"AND Tienda =" + tienda, destination);
cmd2.ExecuteNonQuery();
}
source.Close();
destination.Close();
Console.Beep();
}
catch
(Exception e)
{
Console.WriteLine(e);
Console.ReadLine();
throw;
}
}
}
}
So far this code updates everything in the destination server but i can't really really pinpoint down how to put everything into a temp table to let linq update it foreach argument.
Thank you for your time
Since it's in two different tables, it's difficult to select the corresponding row in the second table without knowing the table design exactly. But you can probably do something like this:
var cmd2 = new SqlCommand(
"update Info_Corp_Existencias set Existencia = (select field FROM Info_Existencias WHERE id=#otherid where sku ='" + x.SKU + "'" +
"AND Tienda =" + tienda, destination);
cmd2.ExecuteNonQuery();
So leave out the foreach statement and just launch ONE update statement to the database that will update every row's field by using a subselect to get the correct value from the row.
Hope this helps.
I would like to use Linq instead of below hardcoded Sql Injection to search from SqlServer DATABASE TABLES. How to retrieve Dynamically generated web controls input texts in C# Linq and replace the entire Sql injection in Linq for searching.
My C# code:
protected void Search_Button_Click(object sender, EventArgs e)
{
try
{
Table maintable = Select.FindControl("dynamic_filter_table_id") as Table;
int rc = maintable.Rows.Count;
if (rc == 1)
{
DropDownList D1 = maintable.FindControl("MainDDL") as DropDownList;
if (D1.SelectedValue.Contains("decimal"))
{
TextBox T1 = maintable.FindControl("txtbox1") as TextBox;
TextBox T2 = maintable.FindControl("txtbox2") as TextBox;
SqlDataAdapter sql = new SqlDataAdapter("SELECT F.Col1,F.Col2,V.COL1, col2,col3, col4 , col5, cl6 FROM TABLE1 as V , TABL2 as F WHERE V.Col1 = F.Col1 AND " + DDL1.SelectedItem.Text + " >= " + T1.Text + " AND " + DDl1.SelectedItem.Text + " <= " + T2.Text, con);
DataSet data = new DataSet();
sql.Fill(data);
con.Close();
Session["DataforSearch_DDL"] = data.Tables[0];
}
}
}
catch
{
ImproperSearch();
}
}
Why don't you just rewrite your query to be SQL-injection safe? LINQ won't give you any benefit.
You can achieve that by doing two things.
The first is to secure the column names. That is accomplished by specifying which characters is allowed for column names (more secure than trying to figure out what characters is not allowed). In this case I remove everything but letters and digits. If you have column names which contains underscore, just add that to the check.
The next thing is to use parameterized queries. Each ADO.NET driver has built in support for that, so you just have to specify the value using cmd.Parameters.AddWithValue. By doing so the value isn't part of the query string and hence there is no potential SQL injection.
using (var con = yourConnectionFactory.Create())
{
using (var cmd = new SqlCommand(con))
{
var safeKey1 = OnlyLettersAndDigits(DDL1.SelectedItem.Text);
var safeKey2 = OnlyLettersAndDigits(DDL2.SelectedItem.Text);
cmd.CommandText = "SELECT F.Col1,F.Col2,V.COL1, col2,col3, col4 , col5, cl6 " +
" FROM TABLE1 as V , TABL2 as F WHERE V.Col1 = F.Col1 " +
" AND " + safeKey1 + " >= #text1 " +
" AND " + safeKey2 + " <= #text2 ";
cmd.Parameters.AddWithValue("text1", T1.Text);
cmd.Parameters.AddWithValue("text2", T2.Text);
var adapter = new SqlDataAdapter(cmd);
var data = new DataSet();
sql.Fill(data);
Session["DataforSearch_DDL"] = data.Tables[0];
}
}
public string OnlyLettersAndDigits(string value)
{
var stripped = "";
foreach (var ch in value)
{
if (char.IsLetterOrDigit(ch))
stripped += ch;
}
return stripped;
}
You can use store procedure for customer search, It will work for both ADO.Net and LINQ approach. Just create a SP and add it to your DBML file very simple.
Here is the link how you can use SP in LINQ
http://www.mssqltips.com/sqlservertip/1542/using-stored-procedures-with-linq-to-sql/
I'm trying to translate some perl code into C# and I'm having some trouble with the following.
After establishing a sql server connection and executing the select statement, how do I reference the different elements in the table columns. For example, in Perl it looks like:
my $dbh = DBI -> connect( NAME, USR, PWD )
or die "Failed to connect to database: " . DBI->message;
my $dbname = DB_NAME;
my $dbschema = DB_SCHEMA;
my $sql = qq{select a,b,c,d,e,f,g,h,i,...
from $dbname.$dbschema.package p
join $dbname.$dbschema.package_download pd on p.package_id = pd.package_id
join $dbname.$dbschema.download d on pd.download_id = d.download_id
where p.package_name = '$package'
--and ds.server_address like 'tcp/ip'
order by a,b,c,d,..};
my $sth = $dbh -> prepare( $sql )
or die "Failed to prepare statement: " . $dbh->message;
$sth -> execute()
or die "Failed to execute statement: " . $sth->message;
#now to go through each row in result table
while ( #data = $sth->fetchrow_array() )
{
print "$data[0]";
# If source server FTP is not already open, make new FTP
if ( $data[0] != $src_id )
{
if ( $src_ftp )
{ $src_ftp -> quit; }
$src_ftp = make_ftp( $data[1], $data[2], $data[3], $data[18], $data[19], $data[20] );
$src_id = $data[0];
}
}
so far I've got it down to
string db = NAME;
string myConnectionString = "Data Source=ServerName;" + "Initial Catalog=" + db + "User id=" + ODBC_USR + "Password=" + PWD
SqlConnection myConnection = new SqlConnection(myConnectionString);
string myInsertQuery = "select a,b,c,d,e,f,g,h,i,...
from $dbname.$dbschema.package p
join $dbname.$dbschema.package_download pd on p.package_id = pd.package_id
join $dbname.$dbschema.download d on pd.download_id = d.download_id
where p.package_name = '$package'
--and ds.server_address like 'tcp/ip'
order by a,b,c,d,..";
SqlCommand myCommand = new SqlCommand(myInsertQuery);
myCommand.Connection = myConnection;
myConnection.Open();
myCommand.ExecuteNonQuery();
myCommand.Connection.Close();
but how do I reference the columns like data[0] and data[1] in C#. Sorry I'm new to both languages so my background is severely lacking. Thanks!
You could reference your column directly by its column name or by numeric order (it starts with 0 as the first column) either through a DataTable, DataSet, DataReader or a specific DataRow.
For the sake of example i'll use a DataTable here and I will name it as dt and let's say we want to reference the first row then you could reference it with the following Syntax/Format:
dt[RowNumber]["ColumnName or Column Number"].ToString();
For example:
dt[0]["a"].ToString();
Or by number the first column with be 0 like:
dt[0][0].ToString();
And use Parameters by the way because without which it would be susceptible to SQL Injection. Here's a more complete code below:
string db = NAME;
string myConnectionString = "Data Source=ServerName;" + "Initial Catalog=" + db + "User id=" + ODBC_USR + "Password=" + PWD
using (SqlConnection connection = new SqlConnection(myConnectionString))
{
string mySelectQuery = #"SELECT a,b,c,d,e,f,g,h,i,...
FROM package p
JOIN package_download pd on p.package_id = pd.package_id
join download d on pd.download_id = d.download_id
WHERE p.package_name = #PackageName
AND ds.server_address LIKE 'tcp/ip%'
ORDER by a,b,c,d";
try
{
connection.Open();
using (SqlDataAdapter da = new SqlDataAdapter(mySelectQuery, connection))
{
using (SqlCommand cmd = new SqlCommand())
{
da.SelectCommand.Parameters.AddWithValue("#PackageName", txtPackage.Text);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count>0) // Make sure there is something in your DataTable
{
String aVal = dt[0]["a"].ToString();
String bVal = dt[0]["b"].ToString();
// You'll be the one to fill up
}
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
I change your LIKE 'tcp/ip' to LIKE 'tcp/ip%' by the way which is the more appropriate one of using LIKE.
you can use ado.net entity data table to reference the tables in your sql server. I don't know if you're asking exactly this but it may help. because direct referencing to sql server is not possible as far as i know.
I use the following code for saving.Updating records to Oracle,
OracleConnection con = new OracleConnection(constr);
con.Open();
// Create the command.
OracleCommand cmd = new OracleCommand("", con);
cmd.CommandText = "<?xml version=\"1.0\"?>\n" +
"<ROWSET>\n" +
" <MYROW>\n" +
" <FIELD1>2</FIELD1>\n" +
" <FIELD2>zafar</FIELD2>\n" +
" </MYROW>\n" +
"</ROWSET>\n";
// Set the XML save properties.
KeyColumnsList = new string[1];
KeyColumnsList[0] = "FIELD1";
UpdateColumnsList = new string[1];
UpdateColumnsList[0] = "FIELD2";
cmd.XmlSaveProperties.KeyColumnsList = KeyColumnsList;
cmd.XmlSaveProperties.UpdateColumnsList = UpdateColumnsList;
cmd.XmlSaveProperties.RowTag = "MYROW";
cmd.XmlSaveProperties.Table = "testconn";
cmd.XmlSaveProperties.Xslt = null;
cmd.XmlSaveProperties.XsltParams = null;
rows = cmd.ExecuteNonQuery();
Console.WriteLine("rows: " + rows);
In the Field2 column I want to use select user from dual. I am not able to save current DB user.
The structure of data in the CommandText assumes that all values are literals. There is no way to have it recognize an inner query or expression. If you want to query the user you will have to do it separately and incorporate that into the data. This may be possible with the Xslt and XsltParams clauses.