Syntax error in select statement C#

Question

1.00/5 (1 vote)

See more:

I am facing a problem in executing the below code (Syntax Error). Basically i want to query for a multiple OR statements for SQL server. Please help me what should i do. Thanks.

Database Fields: pId, pAltId, pMobile, pDate, pName

Variables:argID, alt_ID, p_mobile, p_date, p_Name

C#

String selectStr = "select * from " + thisTable + " where pId = " + argID + " " + OR + " pAltId = " + alt_ID + " " + OR + " pMobile = " + p_mobile + " "  + OR + " pDate = '" + p_date + "' " + OR + " pName = '" + p_Name + "'";

Posted 26-Mar-13 12:59pm

apurba001

Updated 26-Mar-13 13:15pm

v3

Add a Solution

Comments

[no name] 26-Mar-13 19:09pm

To begin with, you have mismatched single quote characters in your query. Which could have been entirely avoided if you used a parameterized query instead of this SQL injection attack waiting to happen stuff.

Sergey Alexandrovich Kryukov 26-Mar-13 19:17pm

Right. I provided a detailed answer. Please see my solution — you may find the first link very interesting. :-)
Your comment is of course credited.
—SA

Kenneth Haugland 26-Mar-13 19:09pm

you seem to have confused the + signs, they shouldnt be includeed in the "+" but + " " etc.

Sergey Alexandrovich Kryukov 26-Mar-13 19:18pm

May be; it's pain in the eyes to look thoroughly :-). I provided a detailed answer. Please see my solution — you may find the first link very interesting. :-)
Your comment is of course credited.
—SA

apurba001 26-Mar-13 19:13pm

Error is "The name 'OR' does not exist in the current context"

String selectStr = "select * from " + thisTable + " where pId = " + argID + " "
+ OR + " pAltId = " + alt_ID + " " + OR + " pMobile = " + p_mobile + " "
+ OR + " pDate = '" + p_date + "' " + OR + " pName = '" + p_Name + "'";

Sergey Alexandrovich Kryukov 26-Mar-13 19:18pm

Stop doing it all. I explained what to do in my answer.
—SA

2 solutions

Solution 1

You already got a good advice, in the comments to the question, by ThePhantomUpvoter and Kenneth Haugland.

This is a great example of this problem: http://xkcd.com/327/[^].

I'll explain what to do instead. Please see my past answer:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

Posted 26-Mar-13 13:15pm

Sergey Alexandrovich Kryukov

Updated 26-Mar-13 13:16pm

v2

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

EricChapman · Accepted Answer · 2013-03-26T13:27:00

SQL

String selectStr = "select * from " + thisTable + " where pId = " + argID + "  OR   pAltId = " + alt_ID +" OR  pMobile = " + p_mobile +" OR pDate =" + p_date +" OR 
pName = '"+ p_Name +"'"

Something better to use would be

C#

SqlDataReader selectCommandResult = null;
try{
SqlCommand selectCommand = new SqlCommand("SELECT * FROM @table WHERE pId = @paramId OR pAltId = @paramAltId OR pMobile = @paramMobile OR pDate = @paramDate OR pName = @paramName", SqlConnectionHolder) { CommandType = CommandType.Text };
selectCommand.Parameters.AddWithValue("@table", thisTable);
selectCommand.Parameters.AddWithValue("@paramId", argID);
selectCommand.Parameters.AddWithValue("@paramAltId", alt_ID);
selectCommand.Parameters.AddWithValue("@paramMobile", p_mobile);
selectCommand.Parameters.AddWithValue("@paramDate", p_date);
selectCommand.Parameters.AddWithValue("@paramName", p_Name);

selectCommandResult = selectCommand.ExecuteReader();
                var returnValue = "0";
//You should state what columns you wish to returns instead of using wild cards as table structures can change
                while (selectCommandResult.Read())
                {
                    columnOne = selectCommandResult.GetValue(0).ToString().Trim();
                    columnTwo = selectCommandResult.GetValue(1).ToString().Trim();
                    columnThree = selectCommandResult.GetValue(2).ToString().Trim();
//Etc...
                }



}
catch (Exception ex){
throw ex;
}

Might I also suggest you make the habit of keeping one naming convention per project. IE the below variable names you've given :
thisTable
p_mobile
alt_ID
argID

Should all be one convention like:
tbTableName
pMobileParam
pAltIdParam
pArgIdParam

It will make it easier to read in the future.

Further reading: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.aspx[^]