Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: .NET3.0 C# WebForms
Hi i want to search a name from database using c# But its giving error "Unknown column string". But for integer number this is working.
try
                {
                    con = new MySqlConnection();
                    con.ConnectionString = ConfigurationSettings.AppSettings["constr"];
                    con.Open();
                    string str = "select pfno,name,desig,oldtno,newtno from empreg where name like " + textBox1.Text;
                    da = new MySqlDataAdapter(str, con);
                    ds = new DataSet();
                    da.Fill(ds, "empreg");
                    dataGridView1.DataSource = ds.Tables[1];
                }
                catch (Exception ex)
                {
                    MessageBox.Show(ex.Message);
                }
                finally
                {
                    con.Close();
                }
Posted 6-Aug-12 11:25am
Edited 6-Aug-12 11:27am
v2
Comments
Wes Aday at 6-Aug-12 17:28pm
   
string str = "select pfno,name,desig,oldtno,newtno from empreg where name like '%" + textBox1.Text + "%'"; We will discuss SQL injection attacks another time.
Kenneth Haugland at 6-Aug-12 17:29pm
   
So whats the value in the Textox then? And does you query work if you hard code it ?
Wes Aday at 6-Aug-12 17:32pm
   
You need single quotes around strings. Integers you do not.
GuruOnu at 6-Aug-12 17:37pm
   
thanks Wes lov u:)
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Here is the answer of what Wes wanted to learn you:
SQL Injection Attacks and Some Tips on How to Prevent Them[^]
  Permalink  
Comments
GuruOnu at 6-Aug-12 17:39pm
   
Thanks
Sergey Alexandrovich Kryukov at 6-Aug-12 18:42pm
   
My 5. I added my variant of explaining this thing, please see.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

One more useful article on SQL injection:
http://en.wikipedia.org/wiki/SQL_injection[^].
 
You really need to get rid of building a query string by concatenation with some data taken from the UI. In a nutshell the idea of the exploit if very simple: anything can be placed in textBox1.Text. Even a fragment of SQL code. Parametrized statements solve this problem.
 
—SA
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

"select * from empreg where pfno LIKE '%"+textBox1.Text+"%'";
  Permalink  
Comments
Sergey Alexandrovich Kryukov at 6-Aug-12 18:41pm
   
No, no, this is subject to SQL Injection. Never do such things.
--SA
GuruOnu at 7-Aug-12 2:48am
   
ok as you say sir.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Advertise | Privacy | Mobile
Web04 | 2.8.140926.1 | Last Updated 6 Aug 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100