I have been hearing about parametrized queries every time I ask a question about database here. It looks like I am not using parametrized queries and my code may suffer from SQL injection. So here is my code:
public void CreateStudent(int ID, String status, String email, String firstName, String lastName, String password, String level, String program)
{
SqlConnection con = new SqlConnection(GetConnectionString());
string query1 = "insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values ("
+ "'" + firstName + "'" + "," + "'" + lastName + "'" + ","
+ "'" + ID + "'" + "," + "'" + email + "'" + "," + "'" + level + "'" + "," + "'" + program + "'" + "," + "'" + status + "'"
+ "," + "'" + password + "'" + "," + "'" + "Student" + "'" + ")";
SqlCommand command = new SqlCommand(query1,con);
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
}
Here is what I have tried:
SqlConnection con = new SqlConnection(GetConnectionString());
string query1 = "insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values(#firstName,#lastName,#ID,#email,#level,#program,#status,#password,Student)";
SqlCommand command = new SqlCommand(query1,con);
command.Parameters.AddWithValue("#firstName", firstName);
command.Parameters.AddWithValue("#lastName", lastName);
command.Parameters.AddWithValue("#ID", ID);
command.Parameters.AddWithValue("#email", email);
command.Parameters.AddWithValue("#level", level);
command.Parameters.AddWithValue("#program", program);
command.Parameters.AddWithValue("#status", status);
command.Parameters.AddWithValue("#password", password);
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
This gives an error saying that Student is an invalid column name. Actually, here I try to use "Student" as a string value to be added to the column Type. Can somebody write this query as a parametrized query so that I can understand it?
In that case it should be 'Student'
SqlConnection con = new SqlConnection(GetConnectionString());
string query1 = "insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values(#firstName,#lastName,#ID,#email,#level,#program,#status,#password,'Student')";
SqlCommand command = new SqlCommand(query1,con);
command.Parameters.AddWithValue("#firstName", firstName);
command.Parameters.AddWithValue("#lastName", lastName);
command.Parameters.AddWithValue("#ID", ID);
command.Parameters.AddWithValue("#email", email);
command.Parameters.AddWithValue("#level", level);
command.Parameters.AddWithValue("#program", program);
command.Parameters.AddWithValue("#status", status);
command.Parameters.AddWithValue("#password", password);
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
Check this link
public void CreateStudent(int ID, String status, String email, String firstName, String lastName, String password, String level, String program)
{
SqlConnection con = new SqlConnection(GetConnectionString());
using (
SqlCommand command =
new SqlCommand(
#"insert into StudentTable(Name,Surname,ID,email,level,program,status,password,Type) values
(#name, #surname, #id, #email, #level, #program, #status,#password,'Student')",
con))
{
//
// Add new SqlParameter to the command.
//
command.Parameters.Add(new SqlParameter("name", firstName));
command.Parameters.Add(new SqlParameter("surname", lastName));
command.Parameters.Add(new SqlParameter("id", ID));
command.Parameters.Add(new SqlParameter("email", email));
command.Parameters.Add(new SqlParameter("level", level));
command.Parameters.Add(new SqlParameter("program", program));
command.Parameters.Add(new SqlParameter("status", status));
int result;
con.Open();
result = command.ExecuteNonQuery();
con.Close();
}
}
Related
When I m writing this query in the code on button click to insert the mkey in the xxacl_pn_new_cha_part_h table
it gives me error as
"ORA-00904: "A": invalid identifier"
Here is my code:-
try
{
conn.Open();
OracleDataReader sdr = cmd.ExecuteReader();
while (sdr.Read())
{
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part where mkey= " + sdr[0].ToString(); // this query gives error
cmd.ExecuteNonQuery();
strQuery = "UPDATE xxacl_pn_new_cha_part set Rating='" + sdr[2].ToString() + "', RATING_UPDATE_DATE=convert(datetime,'" + System.DateTime.Now.ToString() + "',103) WHERE mkey = " + sdr[0].ToString();
cmd.CommandText = strQuery;
cmd.ExecuteNonQuery();
}
ScriptManager.RegisterStartupScript(this, GetType(), "alertMessage", "alert('Broker rating updated succesfully');", true);
}
I am using Oracle
UPDATE
protected void btnUpdate_Click(object sender, EventArgs e)
{
OracleConnection conn = new OracleConnection(ConfigurationManager.ConnectionStrings["OracleConn"].ConnectionString);
string strQuery = "SELECT distinct ab.mkey, ab.broker_id,CASE WHEN SYSDATE - la.creation_date <= 180 THEN 'A' WHEN SYSDATE - cef_dt <= 30 THEN " +
"'B' ELSE 'C'END rating FROM xxacl_pn_new_cha_part ab,xxacl_pn_lease_det ld,xxacl_pn_leases_all la, " +
"xxcus.xxacl_pn_customer_enquiry_v ce WHERE ab.broker_id = ld.broker_id(+) AND ld.booking_no = la.booking_no(+) " +
" AND ab.broker_id = ce.broker_id(+)";
OracleCommand cmd = new OracleCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = strQuery;
cmd.Connection = conn;
try
{
conn.Open();
OracleDataReader sdr = cmd.ExecuteReader();
while (sdr.Read())
{
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
cmd.ExecuteNonQuery();
strQuery = "UPDATE xxacl_pn_new_cha_part set Rating='" + sdr[2].ToString() + "', RATING_UPDATE_DATE=convert(datetime,'" + DateTime.Now.ToString() + "',103) WHERE mkey = " + sdr[0].ToString();
cmd.CommandText = strQuery;
cmd.ExecuteNonQuery();
}
ScriptManager.RegisterStartupScript(this, GetType(), "alertMessage", "alert('Broker rating updated succesfully');", true);
}
catch (Exception ex)
{
throw ex;
}
finally
{
conn.Close();
conn.Dispose();
}
}
You are missing the alias name here, try this one
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
UPDATE:
protected void btnUpdate_Click(object sender, EventArgs e)
{
OracleConnection conn = new OracleConnection(ConfigurationManager.ConnectionStrings["OracleConn"].ConnectionString);
string strQuery = "SELECT distinct ab.mkey, ab.broker_id,CASE WHEN SYSDATE - la.creation_date <= 180 THEN 'A' WHEN SYSDATE - cef_dt <= 30 THEN " +
"'B' ELSE 'C'END rating FROM xxacl_pn_new_cha_part ab,xxacl_pn_lease_det ld,xxacl_pn_leases_all la, " +
"xxcus.xxacl_pn_customer_enquiry_v ce WHERE ab.broker_id = ld.broker_id(+) AND ld.booking_no = la.booking_no(+) " +
" AND ab.broker_id = ce.broker_id(+)";
OracleCommand cmd = new OracleCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = strQuery;
cmd.Connection = conn;
try
{
conn.Open();
OracleDataReader sdr = cmd.ExecuteReader();
while (sdr.Read())
{
cmd.CommandText = "insert into xxacl_pn_new_cha_part_h select 0, sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
cmd.ExecuteNonQuery();
strQuery = "UPDATE xxacl_pn_new_cha_part set Rating='" + sdr[2].ToString() + "', RATING_UPDATE_DATE=to_date('" + DateTime.Now.ToString() + "','dd-mm-yyyy hh:mi:ss am') WHERE mkey = " + sdr[0].ToString();
cmd.CommandText = strQuery;
cmd.ExecuteNonQuery();
}
ScriptManager.RegisterStartupScript(this, GetType(), "alertMessage", "alert('Broker rating updated succesfully');", true);
}
catch (Exception ex)
{
throw ex;
}
finally
{
conn.Close();
conn.Dispose();
}
}
You missed the alias name of a table
"insert into xxacl_pn_new_cha_part_h select sysdate, a.* from xxacl_pn_new_cha_part a where a.mkey= " + sdr[0].ToString();
The SQL query works in SQL Server Management Studio. But, in Visual studio it gives an error
Incorrect syntax near D1
Code:
private void GetDataByID(string _id)
{
string connectionString = ConfigurationManager.ConnectionStrings["DatabaseConnectionString"].ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
{
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2" +
"where d1.DocumentId = d2.DocumentId and = d2.DocumentId =" + _id;
SqlCommand cmd = new SqlCommand(sqlCommand, connection);
SqlDataReader MyReader;
try
{
connection.Open();
MyReader = cmd.ExecuteReader();
while (MyReader.Read())
{
string sDueWeek = MyReader["DueWeek"].ToString();
string sTitle = MyReader["DocumentTitle"].ToString();
//string sEnglishBodyContent = MyReader["DocumentBody"].ToString();
//string sFrenchBodyContent = MyReader["DocumentBody"].ToString();
txb_Week.Text = sDueWeek;
txb_Title.Text = sTitle;
}
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
}
Change the query as shown below
"SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2
where d1.DocumentId = d2.DocumentId and d2.DocumentId ='" + _id + "'";
In your query, you also have entered = sign after and.
Try this code
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent d1 inner join KFM.dbo.ToolBoxDocument as d2 on d1.DocumentId = d2.DocumentId " + " where d2.DocumentId = " + _id;
Also it's better to write store procedure instead and call from your c# code.
private void GetDataByID(string _id)
{
string connectionString = ConfigurationManager.ConnectionStrings["DatabaseConnectionString"].ConnectionString;
string sqlCommand = "SELECT d1.*, d2.* "
+ " FROM KFM.dbo.ToolBoxDocContent as d1"
+ " INNER JOIN KFM.dbo.ToolBoxDocument as d2 ON d1.DocumentId = d2.DocumentId"
+ " WHERE d2.DocumentId = #ID";
using (SqlConnection connection = new SqlConnection(connectionString))
using (SqlCommand cmd = new SqlCommand(sqlCommand, connection))
{
cmd.Parameter.Add("#ID", SqlDbType.Int).Value = int.Parse(_id);
try
{
connection.Open();
using (SqlDataReader MyReader = cmd.ExecuteReader()_
{
while (MyReader.Read())
{
string sDueWeek = MyReader["DueWeek"].ToString();
string sTitle = MyReader["DocumentTitle"].ToString();
//string sEnglishBodyContent = MyReader["DocumentBody"].ToString();
//string sFrenchBodyContent = MyReader["DocumentBody"].ToString();
txb_Week.Text = sDueWeek;
txb_Title.Text = sTitle;
}
}
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}
}
One thing I have noticed in your query is that
space is not provided properly before two joins using '+'. Use space before where
incorrect syntax at where clause. remove extra '=' after and at and = d2.DocumentId = " + _id
Your final query will look like as mentioned below:
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2" +
" where d1.DocumentId = d2.DocumentId and d2.DocumentId =" + _id;
Update:
string sqlCommand = "SELECT d1.*, d2.* FROM KFM.dbo.ToolBoxDocContent as d1, KFM.dbo.ToolBoxDocument as d2" +
" where d1.DocumentId = d2.DocumentId and d2.DocumentId = '" + _id + "'";
I am writing a code to query .CSV file using SQL below is my code which works perfectly fine
string fileDirectory = #"C:\TechnicalTest\GskTest\Csv\SampleData.csv";
string strCSVConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="
+ fileDirectory + ";Extended Properties='text;HDR=YES;'";
string sqlCust = "Select Count(order_id), order_id, contact_id from SampleData.csv "
+ "Group by order_id, contact_id "
+ "Order by 1 Desc";
string sqlProd = "Select Count(order_id), product_id from SampleData.csv "
+ "Group by product_id "
+ "Order by 1 Desc";
string sqlOrders = "Select Count(order_id) from SampleData.csv "
+"Order by 1 Desc";
OleDbConnection con = new OleDbConnection("Provider=Microsoft.Jet.OleDb.4.0; Data Source = " + System.IO.Path.GetDirectoryName(fileDirectory) + "; Extended Properties = \"Text;HDR=YES;FMT=Delimited\"");
con.Open();
OleDbDataAdapter daCust = new OleDbDataAdapter(sqlCust, con);
DataTable dtCust = new DataTable();
daCust.Fill(dtCust);
OleDbDataAdapter daProd = new OleDbDataAdapter(sqlProd, con);
DataTable dtProd = new DataTable();
daProd.Fill(dtProd);
OleDbDataAdapter daOrders = new OleDbDataAdapter(sqlOrders, con);
DataTable dtOrders = new DataTable();
daOrders.Fill(dtOrders);
con.Close();
But when I am trying to call the same code from the function by passing the file path which is retrieved from asp.net file upload control it does not work. Please see the code below.
protected void btnSubmit_Click(object sender, EventArgs e)
{
if (fupPath.HasFile)
{
string filename = Path.GetFileName(fupPath.FileName);
String csv_file_path = Path.Combine(Server.MapPath("~/Csv"), filename);
fupPath.SaveAs(csv_file_path);
Summery(csv_file_path);
DataTable csvData = GetDataTabletFromCSVFile(csv_file_path);
Response.Write("Rows count:" + csvData.Rows.Count);
//dtSummary(csvData);
}
}
protected void Summery(string fileName)
{
//string fileDirectory = #"C:\TechnicalTest\GskTest\Csv\SampleData.csv";
string fileDirectory = fileName;
//string strCSVConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="
// + System.IO.Path.GetDirectoryName(fileDirectory) + ";Extended Properties='text;HDR=YES;FMT=Delimited\'";
string sqlCust = "Select Count(order_id), order_id, contact_id from SampleData.csv "
+ "Group by order_id, contact_id "
+ "Order by 1 Desc";
string sqlProd = "Select Count(order_id), product_id from SampleData.csv "
+ "Group by product_id "
+ "Order by 1 Desc";
string sqlOrders = "Select Count(order_id) from SampleData.csv "
+ "Order by 1 Desc";
OleDbConnection conn = new OleDbConnection("Provider=Microsoft.Jet.OleDb.4.0; Data Source = " + System.IO.Path.GetDirectoryName(fileDirectory) + "; Extended Properties = \"Text;HDR=YES;FMT=Delimited\"");
//OleDbConnection conn = new OleDbConnection(strCSVConnString);
conn.Open();
OleDbDataAdapter daCust = new OleDbDataAdapter(sqlCust, conn);
DataTable dtCust = new DataTable();
daCust.Fill(dtCust);
daCust.Dispose();
OleDbDataAdapter daProd = new OleDbDataAdapter(sqlProd, conn);
DataTable dtProd = new DataTable();
daProd.Fill(dtProd);
daProd.Dispose();
OleDbDataAdapter daOrders = new OleDbDataAdapter(sqlOrders, conn);
DataTable dtOrders = new DataTable();
daOrders.Fill(dtOrders);
daOrders.Dispose();
conn.Close();
}
You need to call a sheet name SheetName$ instead of file name SampleData.csv.
For example,
Select Count(order_id), order_id, contact_id from [SheetName$]
Normally, here is how you get a file path in ASP.Net, because you do not know the drive letter where your web application is hosted. In addition, you do not have access to a file located outside of web application.
var filePath = string.Format("{0}App_Data\\ExportImport\\{1}",
HttpRuntime.AppDomainAppPath, "SampleData.csv");
I was writing a web based program and this is my authentication page. It was working fine but suddenly it started to give that error.
Here is my code:
else if (LoginAs.SelectedValue == "Student")
{
string tableName = "StudentTable";
String name = "", surname = "", email = "";
string query = "Select level from " + tableName + " where ID='" + idBox.Text + "'";
SqlCommand cmd = new SqlCommand(query, con);
string level = Convert.ToString(cmd.ExecuteScalar());
CreateUser(con, tableName, ref name, ref surname, ref email);
query = "Select program from " + tableName + " where ID='" + idBox.Text + "'";
cmd = new SqlCommand(query, con);
string program = Convert.ToString(cmd.ExecuteScalar());
MyGlobals.student = new Student(Convert.ToInt32(idBox.Text), "Active", email, name, surname, password, level, program);
MyGlobals.currentID = idBox.Text;
query = "Select * from RegisterTable where StudentID='" + idBox.Text + "'";
cmd = new SqlCommand(query, con);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
foreach (DataRow dr in dt.Rows)
{
query = "SELECT * FROM CourseTable WHERE CourseCode='" + dr["CourseCode"] + "' AND CourseNumber='" + dr["CourseNumber"] + "' AND Term='" + dr["Term"] + "'";
cmd = new SqlCommand(query, con);
SqlDataAdapter da2 = new SqlDataAdapter(cmd);
DataTable dt2 = new DataTable();
da2.Fill(dt2);
DataRow dr2 = dt2.Rows[0]; //ERROR COMES AT HERE
Course course = new Course(dr2["InstructorName"].ToString(), dr2["CourseCode"].ToString(), dr2["CourseNumber"].ToString(), dr2["CourseName"].ToString(), dr2["Term"].ToString(), dr2["CRN"].ToString(), dr2["Level"].ToString(), dr2["Credit"].ToString(), dr2["Description"].ToString(), dr2["Capacity"].ToString());
Register reg = new Register(course, MyGlobals.student);
MyGlobals.student.addToSchedule(reg);
}
int num = (int)Application["OnlineUsers"];
Response.Redirect("Student.aspx");
}
Can anyone help me with this? Thanks in advance.
You don't specify where the exception is thrown but a very common reason for this (my opinion) is that your query doesn't return any results (or rows).
And i am back again.
I have asked a similair question before, but even with the help of the previous anwser and trying it with questionmarks or instead of Add i've tried AddWithValue i didn't have any luck.
I tried to change the txt_Naam to txt_Naam.Text, nothing.
Also putting [] around the columnnames, no luck.
It keeps giving me this "Syntax error in INSERT INTO statement.".
This time i got nowhere with the code below.
Probably something small, but i can't figure it out. (Again...)
protected void btn_final_Click(object sender, EventArgs e)
{
string fact_adres = txt_Naam.Text + "," + txt_Anaam.Text + "," + txt_Adres.Text + "," + txt_Toevoeg.Text + "," + txt_Pcode.Text + "," + txt_Plaats.Text + "," + txt_Email.Text ;
string fact_adres1 = txt_Naam1.Text + "," + txt_Anaam1.Text + "," + txt_Adres1.Text + "," + txt_Toevoeg1.Text + "," + txt_Pcode1.Text + "," + txt_Plaats1.Text + "," + txt_Email1.Text;
string a = "1";
OleDbConnection conn = new OleDbConnection();
conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0; "
+ "Data Source=|DataDirectory|webwinkel.accdb";
OleDbCommand cmd = new OleDbCommand();
cmd.Connection = conn;
cmd.CommandText = "INSERT INTO Order (factuur_adres_id, verzend_adres_id, totaalprijs) VALUES (?, ?, ?);";
cmd.Parameters.Add("#factuur_adres", OleDbType.VarChar, 125).Value = fact_adres;
cmd.Parameters.Add("#verzend_adres", OleDbType.VarChar, 125).Value = fact_adres1;
cmd.Parameters.Add("#totaal_prijs", OleDbType.VarChar, 7).Value = a;
try
{
conn.Open();
OleDbDataReader reader = cmd.ExecuteReader();
reader.Close();
}
catch (Exception exc)
{
Label1.Text = exc.Message;
}
finally
{
conn.Close();
Session["Winkelwagen"] = null;
}
}
You command text should be
cmd.CommandText = "INSERT INTO Order (factuur_adres_id, verzend_adres_id, totaalprijs) VALUES (#factuur_adres,#verzend_adres, #totaal_prijs)";
Updated answer:
run your code with setting parameters, directly pass the value and check that it works or not
cmd.CommandText = "INSERT INTO Order (factuur_adres_id, verzend_adres_id, totaalprijs) VALUES ('abc','def','adf')";
When you are inserting don't you have to use
cmd.ExecuteNonQuery()
Instead of cmd.ExecuteReader() ??