Click here to Skip to main content
15,878,748 members
Search within:


Exception Error Incorrect syntax near 'System.Web.UI.WebControls.DataControlFieldCell'. how can I resolve my error
Please Sign up or sign in to vote.
0.00/5 (No votes)
XML
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" EnableModelValidation="True" Width="220px"  >

            <Columns>


                                <asp:BoundField DataField="QUESTION_NO" HeaderText="Q_NO" />
                                <asp:BoundField DataField="QUESTION_DESCRIPTION" HeaderText="DESCRIPTION" />



                <asp:TemplateField HeaderText="ANSWERS">
                    <ItemTemplate>
                        <asp:DropDownList ID="DropDownListUser" runat="server" AutoPostBack="False">
                            <asp:ListItem Text="Yes" Value="True"></asp:ListItem>
                            <asp:ListItem Text="No" Value="False"></asp:ListItem>
                        </asp:DropDownList>
                    </ItemTemplate>
                </asp:TemplateField>



            </Columns>



        </asp:GridView>







C#
string query;
               for (int i = 0; i < GridView1.Rows.Count - 1; i++)
               {

                   query = "insert into student_info values('" + regtxtbox.Text + "','" + gentxtbox.Text + "','" + bactxtbox.Text + "','" + pretxtbox.Text + "','" + gratxtbox.Text + "','" + Unetxtbox.Text + "','" + agetxtbox.Text + "','" + cgptxtbox.Text + "','" + smetxtbox.Text + "','" + sestxtbox.Text + "','" + exptxtbox.Text + "','" + martxtbox.Text + "'.'" + GridView1.Rows[i].Cells[0].ToString() + "','" + GridView1.Rows[i].Cells[2].ToString() + "')";

                   MessageBox.Show("SURVEY INFORMATION HAS BEEN STORED IN DATABASE");

                   SqlCommand cmd = new SqlCommand(query, conobj);

                   cmd.ExecuteNonQuery();
               }
Posted
Add a Solution
Comments
Andy Lanng 9-Apr-15 11:50am    
Hi, My names is "'); drop table users;('" and I'll be taking your survey today.

Look into SQL Injection, my friend, and you'll see why that joke really isn't funny.

1 solution

Simple: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

At the moment, you are wide open to anyone who has access to you site: they can type in any one of your text boxes, and delete your database.
And the concatenation also causes your problem, because
C#
GridView1.Rows[i].Cells[2].ToString()
returns the name of the control, "System.Web.UI.WebControls.DataControlFieldCell" rather than it's content. If you use a parameterised query, you can pass the cell value through directly without converting it to a string first.
 
Share this answer
 
Posted
Comments
OriginalGriff 9-Apr-15 12:16pm    
DON'T SHOUT. Using all capitals is considered shouting on the internet, and rude (using all lower case is considered childish). Use proper capitalization if you want to be taken seriously.
OriginalGriff 9-Apr-15 13:57pm    
OK, have you converted that to a parameterised query?
OriginalGriff 9-Apr-15 13:56pm    
http://en.wikipedia.org/wiki/Etiquette_in_technology
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Microsoft.data.sqlclient.sqlexception: 'incorrect syntax near '/'.'
Incorrect syntax near the keyword 'inner'.
Incorrect syntax near ' '
Incorrect syntax near ', '.
error incorrect syntax near )
How do I remove the error for incorrect syntax near LIKE.
Incorrect syntax near 'nvarchar'
Incorrect syntax near ', '.'
How do I resolve the filename, directory name, or volume label syntax is incorrect
Plss help incorrect syntax near '

Advertise
Privacy
Cookies
Terms of Use
Last Updated 9 Apr 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900