Member Avatar for RobertKramers

Hi there,

Im getting the error above, when i run my code.

string myCommand = "SELECT * FROM Manager WHERE UserName=" + ID;

        SqlDataAdapter da = new SqlDataAdapter(myCommand, con);

        DataSet ds = new DataSet();

        try
        {
            con.Open();
            da.Fill(ds); [B]// <- highlighting this part of the code..[/B]
        }
        finally
        {
            con.Close();
        }
        foreach (DataRow dr in ds.Tables[0].Rows)
        {
            txtUserName.Text = dr[1].ToString();

        }

    }
}

All i want to do is query the MS SQL database for data and extract row by row into an HTML table. This has proven to be a real pain in the neck. This simple function is sooo easy with PHP.

Please let me know if im on the right track, or if you can help with my error, i appreciate your help!

Thanks!

  • 8 Contributors
  • 8 Replies
  • 3K Views
  • 1 Year Discussion Span
  • Latest Post Latest Post by samuelmac
Member Avatar for mrGee

try to change your code to :

string myCommand = "SELECT * FROM Manager WHERE UserName= ID";

it should work if it doesn't try more alternatives.:icon_cool: [/I]

Member Avatar for Ezzaral

Try enclosing your ID value in single quotes.

string myCommand = "SELECT * FROM Manager WHERE UserName='" + ID + "'";
Member Avatar for ninjaimp

you need a space before and after the "=" sign. That may help.

Only enlcose your ID value in single quotes if is a text value.

Member Avatar for sknake

I would highly recommend against building your queries dynamically like this. You should use parameterized SQL for security and performance reasons, please see:
http://www.daniweb.com/forums/thread176306.html

Here is sample code for your situation:

private void simpleButton1_Click(object sender, EventArgs e)
{
	const string connStr = @"Data Source=apex2006sql;Initial Catalog=Leather;Integrated Security=True;";
	const string query = "Select * From Invoice Where InvNumber = @InvNumber";
	const int invNumber = 1100;

	DataSet ds = new DataSet();

	using (SqlConnection conn = new SqlConnection(connStr))
	{
		conn.Open();
		using (SqlCommand cmd = new SqlCommand(query, conn))
		{
			cmd.Parameters.Add("@InvNumber", SqlDbType.Int).Value = invNumber;
			using (SqlDataAdapter da = new SqlDataAdapter(cmd))
			{
				da.Fill(ds);
			}
		}
		conn.Close();
	}
}
Member Avatar for mail2saion

CHECK THAT YOUR ID CONTAINS A VALUE OR NOT. I THINK YOUR ID DOES NOT CONTAIN VALUE... So THAT YOUR QUERY WILL BE LIKE WHERE ...= SO WHEN YOU EXECUTE THE QUERY GETS THIS ERROR.

commented: fixed the issue I was having and spent a couple of hours looking at. +0
Member Avatar for sknake

CHECK THAT YOUR ID CONTAINS A VALUE OR NOT. I THINK YOUR ID DOES NOT CONTAIN VALUE... So THAT YOUR QUERY WILL BE LIKE WHERE ...= SO WHEN YOU EXECUTE THE QUERY GETS THIS ERROR.

This also gives another reason why parameterized queries should be used, because in the case of a blank ID it would run the query looking for null.

Member Avatar for sedgey

Totally agree with SKnake on this, any kind of attempt to use dynamic sql should include thorough checking for SQL injection attempts.

The solution is as stated that the parameter is text and should be enclosed in single quotes spaces around the equals will make no difference at all, if the parameter potentially could contain Unicode text like Japanese or Chinese characters it should also be prefixed with an N to let SQL server know that the contents could be of the NVARCHAR type.

Member Avatar for samuelmac

you need a space before and after the "=" sign. That may help.

Only enlcose your ID value in single quotes if is a text value.

THANKYOU very much for this, it fixed my issue!!!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.