Multiple SQL Queries in C# returning a variable as a column -


i'm working on school project create registration system. chosen means of db use t-sql it's i'm familiar.

i'm using below code query db

    public void button3_click(object sender, eventargs e)     {         string studentid = (textbox1.text);         string querydob = "select dob,lastname,degree student studentid = " + studentid;          sqlconnection con = new sqlconnection(properties.settings.default.srsconnectionstring);         con.open();          sqlcommand dob = new sqlcommand(querydob, con);          sqldatareader stidreader = dob.executereader();          if (stidreader.read())         {             textbox2.text = stidreader["dob"].tostring();             textbox3.text = stidreader["lastname"].tostring();             textbox5.text = stidreader["degree"].tostring();         }         else         {             messagebox.show("your id not recognised. please try again.");             textbox1.clear();             textbox2.clear();             textbox3.clear();             textbox5.clear();         }          con.close();     }      private void textbox5_textchanged(object sender, eventargs e)     {         string degree = textbox5.text;         string degsql = "select modname module degree = " + degree;         sqlconnection con = new sqlconnection(properties.settings.default.srsconnectionstring);         dataset dsm = new dataset();         sqldataadapter connect = new sqldataadapter(degsql, con);          con.open();          connect.fill(dsm);         this.listbox2.datasource = dsm.tables[0];         this.listbox2.displaymember = "modname"; } 

the first section button click works when run query in next event (textbox change) query returns error message invalid column found. well, column found variable should using query, not column confusing.

i know there can issues called mars db seems right version.

can shed light?

appreciate it,

jamie

you missing single quotes around variable name. change code fix sql:

string degsql = "select modname module degree = '" + degree + "'"; 

or looks better:

string degsql = string.format(     "select modname module degree = '{0}'",      degree); 

however, should not way exposes sql injection attacks. read question understand means: how parameterized queries against sql injection?

here code , avoid nasty security issues:

private void textbox5_textchanged(object sender, eventargs e) {     string degree = textbox5.text;     string degsql = "select modname module degree = @degree";      dataset dsm = new dataset();      using(var con = new sqlconnection(properties.settings.default.srsconnectionstring))     {         sqlcommand cmd = new sqlcommand(degsql, con);         // use appropriate sqldbtype:         var parameter = new sqlparameter("@degree", sqldbtype.varchar);         parameter.value = degree;         cmd.parameters.add(parameter);          sqldataadapter connect = new sqldataadapter(cmd);         connect.fill(dsm);     }      this.listbox2.datasource = dsm.tables[0];     this.listbox2.displaymember = "modname"; 

Comments

Popular posts from this blog

c++ - OpenMP unpredictable overhead -

ruby on rails - RuntimeError: Circular dependency detected while autoloading constant - ActiveAdmin.register Role -

javascript - Wordpress slider, not displayed 100% width -