Multiple concatenation in MySQL query and C#

Question

1.00/5 (1 vote)

See more:

Hey guys still very new to C# and am very lost.

I have two drop down list `ddlcountry`(Country) and `DdPetPist`(Specie) the country selection populates the Specie list with the specie avalible in the country selected.

**code bellow**

C#

protected void Page_Load(object sender, EventArgs e)
           {
               if (!Page.IsPostBack)
               {
                   MySqlCommand cd2 = new MySqlCommand("SELECT DISTINCT(Country) FROM Animals", cs);
                   cs.Open();
                   MySqlDataReader ddlCountry = cd2.ExecuteReader();
                   ddlcountry.DataSource = ddlCountry;
                   ddlcountry.DataValueField = "Country";
                   ddlcountry.DataTextField = "Country";
                   ddlcountry.DataBind();
                   cs.Close();
                   cs.Dispose();
               }
           }

   protected void ddlcountry_SelectedIndexChanged(object sender, EventArgs e)
           {
               if (ddlcountry.Text != string.Empty)
               {
                   MySqlCommand cd = new MySqlCommand(string.Format("SELECT * FROM Animals WHERE Country ='{0}'", ddlcountry.Text), cs);
                   cs.Open();
                   MySqlDataReader ddlSpecie = cd.ExecuteReader();
                   DdPetPist.DataSource = ddlSpecie;
                   DdPetPist.DataValueField = "Specie";
                   DdPetPist.DataTextField = "Specie";
                   DdPetPist.DataBind();
                   cs.Close();
                   cs.Dispose();
               }
           }

This works very well and I am happy with it, although I am in the process of protecting it from sql injection.

**The problem**

I am know trying to print Information out into two labels with two query's, this I am having problems with. so far my label will print out information such as pet price and stock amounts. but I cant seem to get the query's to adjust with the different country selection.
I have been at this for a few days now and any help will be fantastic as I am very new to C# and still learning.

Label code and query's(not changing with different country selection)

C#

protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
            {
                string selection_price = DdPetPist.SelectedValue;
                string selection_stock = DdPetPist.SelectedValue;
                string petPrice = string.Empty;
                string available = string.Empty;
    
                MySqlCommand cd_price = new MySqlCommand(String.Format("SELECT Specie_Price FROM Animals WHERE Specie ='{1}'", ddlcountry.Text, selection_price), cs);
                MySqlCommand cd_available = new MySqlCommand(String.Format("SELECT Stock FROM Animals WHERE Specie ='{1}'", ddlcountry.Text, selection_stock), cs);
    
                cs.Open();
                petPrice = Convert.ToString(cd_price.ExecuteScalar());
                available = Convert.ToString(cd_available.ExecuteScalar());
                cs.Close();
    
                PetPrice.Text = String.Format("Minimum Donation For A {0}  Is £{1}.", selection_price, petPrice);
                Availble.Text = String.Format("{0}'s Avalible {1} In Your Country.", selection_stock, available);
            }

Posted 25-Nov-13 13:28pm

Ben Oats

Add a Solution

Comments

Sergey Alexandrovich Kryukov 25-Nov-13 19:39pm

Isn't it a re-post of your previous question?
—SA

Ben Oats 25-Nov-13 19:42pm

i tried to lay it out better and show more code to help people understand my question better as i felt it was a bit confusing to get my point over

Sergey Alexandrovich Kryukov 25-Nov-13 19:48pm

Such things are considered as abuse, by apparent reasons: some users highly contaminate the forum with re-posts, so it needs some counter-action.
If you need to, you should rather use "Improve question" on the original page of your question. By the way, it would put your question back on top of the question queue.
—SA

Ben Oats 25-Nov-13 19:53pm

thank you i did not know that, I will not spam this site and try to use it the correct way

Sergey Alexandrovich Kryukov 25-Nov-13 19:55pm

No problem; this is was not a heavy abuse, so I hope no one is going to report on your account for that. (Some heavy abusers even got their accounts cancelled.)
Thank you for understanding.
—SA

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2013-11-25T13:42:00

Why would you ignore my answer to your previous question? It can cost you too much, because this is about security. Not only this is not concatenation (which is only a good thing), but making queries this way is absolutely vulnerable to SQL injection:
correcting concatenation query. C# and MySQL[^].

Don't even play with the idea of keeping to use string-manipulated queries instead of parametrized statements.

—SA

Ben Oats · Answer 2 · 2013-11-25T14:03:00

OK, not perfect and is still Susceptible to SQL injection that I am still leaning how to fix but to get the query to work I have found this fix works well.

SQL

MySqlCommand cd_price = new MySqlCommand(String.Format("SELECT Specie_Price FROM Animals WHERE Specie ='{1}' and Country ='{0}'", ddlcountry.SelectedItem.ToString().Trim(), selection_price), cs);
MySqlCommand cd_available = new MySqlCommand(String.Format("SELECT Stock FROM Animals WHERE Specie ='{1}' and Country ='{0}'", ddlcountry..SelectedItem.ToString().Trim(), selection_stock), cs);

Multiple concatenation in MySQL query and C#

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0