string selectedAreas = getSelectedAreas(areaCounts);
SqlConnection cn = new SqlConnection(connectionstring);
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "select top 1 [x1] " +
"from sometable " +
"where sometable.coll = #selectedAreas" +
"order by NEWID() ";
cmd.CommandType = System.Data.CommandType.Text;
cmd.Connection = cn;
cmd.Parameters.AddWithValue("#selectedAreas", selectedAreas);
What am I doing wrong here?
I get
Must declare the scalar variable for #selectedAreas.
#selectedAreas might become something like:
" 'nyc' or sometable.coll = 'la' or sometable.coll = 'miami' "
Edit:
I added the space as the comment below pointed out. And removed the paramter, like this:
cmd.CommandText = "select top 1 [x1] " +
"from sometable " +
"where sometable.coll = " + selectedAreas
" order by NEWID() ";
Dont know how correct it is but it works for now...
It could be the way you are running the command (which you didn't include in your question), such as in this case: Must Declare Scalar Variable
Related
I have a winform and a textbox which will pass the value to a prepared statement like this
searchKey = "member_chinese_name";
field_name = "member_chinese_name";
daoQuery = "SELECT * FROM member where member_chinese_name like #" + searchKey;
sqlCmd = new MySqlCommand(daoQuery, databaseConnection);
MessageBox.Show(field_name + " " + field_value1);
sqlCmd.Parameters.Add(new MySqlParameter("#"+field_name , field_value1 + "%"));
sqlCmd.CommandTimeout = 60;
sqlCmd.ExecuteNonQuery();
adapter.SelectCommand = sqlCmd;
adapter.Fill(ds);
the whole query is (select * from member where member_chinese_name like 中文字%;)
the query has no result run in my winform, but i run the sql in phpmyadmin (select * from member where member_chinese_name like '中文字%') is valid
Anyone know what is the problem?
Remarks (search english is ok)
The problem might be the parameter you are sending for the search. It should be #searchKey instead of #" + searchKey; and you can also choose sqlCmd.Parameters.AddWithValue instead of sqlCmd.Parameters.Add(new MySqlParameter thus code would look like
searchKey = "member_chinese_name";
field_name = "member_chinese_name";
daoQuery = "SELECT * FROM member where member_chinese_name like #sKey";
sqlCmd = new MySqlCommand(daoQuery, databaseConnection);
MessageBox.Show(field_name + " " + field_value1);
//not sure which variable stores 中文字
sqlCmd.Parameters.AddWithValue("#sKey", field_value1+"%");
I'm trying to execute multiple updates like this
UPDATE clients SET name = :name WHERE clientId = :clientID
I've tried something like this
OracleConnection con = new OracleConnection(connectionString);
con.Open();
OracleCommand cmd = new OracleCommand();
cmd.Connection = con;
cmd.CommandText =
"begin " +
" UPDATE clients SET name = " + name1 + " WHERE clientId = " + clientId1 +
" UPDATE clients SET name = " + name2 + " WHERE clientId = " + clientId2 +
"end;";
cmd.CommandType = CommandType.Text;
cmd.ExecuteNonQuery();
con.Close();
but I need to execute hundreds of parameterized updates like the first one
hello guys i have problem with running update query from Microsoft access 2013 i just want to update client table with client id and name and phone i cant get the data to be update always error in syntax
string I = "UPDATE client SET client.ID =" + ID.Text + " ,client.Name =" + Name.Text + " ,client.Phone = " + Phone.Text + " WHERE client.ID="+ ID.Text +"";
command.CommandText = I;
command.CommandType = CommandType.Text;
connection.Open();
command.ExecuteNonQuery();
You need to use a parameterized query, like this:
string I = "UPDATE client SET client.Name = ?, client.Phone = ? WHERE client.ID = ?";
command.CommandText = I;
command.CommandType = CommandType.Text;
command.Parameters.AddWithValue("?", Name.Text);
command.Parameters.AddWithValue("?", Phone.Text);
command.Parameters.AddWithValue("?", ID.Text);
connection.Open();
command.ExecuteNonQuery();
Note that it makes no sense to "SET" client.ID since it is not going to change.
Say I have a basic query, something like this:
SELECT holiday_name
FROM holiday
WHERE holiday_name LIKE %Hallow%
This executes fine in my sql query pane and returns 'Halloween'. My problem occurs when I try to use parameters with with the wildcard '%' characters in my code.
SqlConnection Connection = null;
SqlCommand Command = null;
string ConnectionString = ConfigurationManager.ConnectionStrings["SQLdb"].ConnectionString;
string CommandText = "SELECT holiday_name "
+ "FROM holiday "
+ "WHERE holiday_name LIKE %#name%";
Connection = new SqlConnection(ConnectionString);
try
{
Connection.Open();
Command = new SqlCommand(CommandText, Connection);
Command.Parameters.Add(new SqlParameter("name", HolidayTextBox.Text));
var results = Command.ExecuteScalar();
}
catch (Exception ex)
{
//error stuff here
}
finally
{
Command.Dispose();
Connection.Close();
}
This throws an incorrect syntax error. I've tried moving the '%' to my parameter like so
Command.Parameters.Add(new SqlParameter("%name%", HolidayTextBox.Text));
but then I receive an error saying I haven't declared the scalar variable '#name'. So, how do you properly format wildcard characters to be included with query parameters? Any help is appreciated!
First off, your SqlParameter name is #name not name.
Second, I would move your wildcards.
So it would look like this:
string CommandText = "SELECT holiday_name "
+ "FROM holiday "
+ "WHERE holiday_name LIKE #name;"
Connection = new SqlConnection(ConnectionString);
try
{
var escapedForLike = HolidatyTextBox.Text; // see note below how to construct
string searchTerm = string.Format("%{0}%", escapedForLike);
Connection.Open();
Command = new SqlCommand(CommandText, Connection);
Command.Parameters.Add(new SqlParameter("#name", searchTerm));
var results = Command.ExecuteScalar();
}
Note that LIKE requires special care when passing parameters and you need to escape some characters Escaping special characters in a SQL LIKE statement using sql parameters.
whatever you do don't do this:
string CommandText = "SELECT holiday_name "
+ "FROM holiday "
+ "WHERE holiday_name LIKE '%'" + HolidayTextBox.Text + "'%'";
as that will open you up to sql injection, instead do this:
Command.Parameters.Add(new SqlParameter("#name", "%" + HolidayTextBox.Text + "%"));
you may like to know about Command.Parameters.AddWithValue, e.g:
Command.Parameters.AddWithValue("#name", "%" + HolidayTextBox.Text + "%");
The %s should be part of the search string, not the query.
string CommandText = "SELECT holiday_name "
+ "FROM holiday "
+ "WHERE holiday_name LIKE #name";
Connection = new SqlConnection(ConnectionString);
try
{
Connection.Open();
Command = new SqlCommand(CommandText, Connection);
string name = "%" + HolidayTextBox.Text + "%";
Command.Parameters.Add(new SqlParameter("#name", name));
I use this code in my project (SQL COMPACT):
"select Name
from Drug
where Name
like '" + Dname + "%'
limit 10"
Dname is a string value. The result is this error:
There was an error parsing the query.
[ Token line number = 1,Token line offset = 44,Token in error = LIMIT ]
Why is this happening and how can I fix it?
i think what you want is
"select TOP (10)
from Drug
where Name
like '" + Dname + "%' "
you should also try using parametrized queries:
string qry = "select TOP(10) from Drugs where name like #dname";
SqlCommand oCmd = new SqlCommand(qry, ConnectionString);
oCmd.Parameters.AddWithValue("#dname", dname + '%');
Never use string concatenations to build SQL queries. Always use parametrized queries:
string connectionString = ....
using (var conn = new SqlConnection(connectionString))
using (var cmd = conn.CreateCommand())
{
conn.Open();
cmd.CommandText = "SELECT TOP 10 FROM drug WHERE name LIKE #name";
cmd.Parameters.AddWithValue("#name", Dname + '%');
using (var reader = cmd.ExecuteReader())
{
while (reader.Read())
{
...
}
}
}
According to this previous question, the proper syntax is TOP(n), so try this:
"select TOP(10) Name
from Drug
where Name
like '" + Dname + "%' "