Invalid column name

Question

Arjun_Sarankulu -3 Junior Poster

13 Years Ago

I am having a form through which user will enter empcode(checking whether it is present in the table)
When i click On Login i am getting the following error
Invalid column name
cmd.CommandText = "select employee_code from MST_Employee where employee_code = " + emp_code;

In the above select i m writing the where condition in which empcode is getting from textbox

Form1 frm = new Form1();
            emp_code = First_NametextBox.Text;
            SqlConnection connection_string = new SqlConnection(System.Configuration.ConfigurationManager.AppSettings["database1"]);
            connection_string.Open();
            SqlCommand cmd = connection_string.CreateCommand();
            cmd.CommandText = "select employee_code from MST_Employee where employee_code = " + emp_code;
            SqlDataReader row = cmd.ExecuteReader();

            while (row.Read())
            {
                temp_emp_code = (string)row[0];
            }
            row.Close();
            connection_string.Close();
            MessageBox.Show("Temp-emp-value : " + temp_emp_code);
            if (emp_code == temp_emp_code)
            {

                frm.Show();
            }
            else 
            {
                MessageBox.Show("Invalid Employee Code Type Again");
                return;
            }
            //MessageBox.Show("First :" + emp_code);

I am not getting what is wrong in my code

3 Contributors
4 Replies
126 Views
22 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by Arjun_Sarankulu

Mitja Bonca 557 Nearly a Posting Maven

13 Years Ago

It has to written like this:

cmd.CommandText = "select employee_code from MST_Employee where employee_code = '" + emp_code + "';

Mitja

Edited 13 Years Ago by Mitja Bonca because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Momerath 1,327 Nearly a Senior Poster Featured Poster · Answer 1 · 2011-03-28T19:55:05+00:00

And if you are only expecting one value you should use ExecuteScaler() not ExecuteReader().

Mitja Bonca 557 Nearly a Posting Maven · Answer 2 · 2011-03-28T22:28:10+00:00

yes, Reader is used to get more values (specific ones).

Arjun_Sarankulu -3 Junior Poster · Answer 3 · 2011-03-29T11:21:20+00:00

Thanks for giving your valuable time
I am using execute scalar but problem can be of sql injection(in textbox user can type delete)

SqlCommand cmd = connection_string.CreateCommand();
            cmd.CommandText = "select employee_code from MST_Employee where [employee_code] = '" + Emp_codetextBox.Text + "'";
            
            temp_emp_code = (string)cmd.ExecuteScalar();

How can i correct the above code to avoid sql injection
And user give correct id it showing the next form according to code but it is not closing the login form