Click here to Skip to main content
15,887,027 members
Search within:


C# - syntax error: missing operand after 'unary' operator
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
I have a problem running this code that I get from youtube. I tried everything but it keeps me getting this error. Can anybody help me?

What I have tried:

string strTextBox1 = TextBox1.Text.Trim().ToString();
            StringBuilder sb = new StringBuilder();
            sb.AppendFormat("( Convert (ID, 'System.String) LIKE '" + " {0} " + "')", strTextBox1);
            sb.AppendFormat("OR(FacilityName LIKE '*" + "{0}" + "*')", strTextBox1);
Posted
Updated 4-Feb-20 12:51pm
Add a Solution
Comments
jimmson 30-Jan-20 3:39am    
If you're getting some syntax error, it's not from the code you posted.
I don't have any problem to compile it.
phil.o 30-Jan-20 5:51am    
string strTextBox1 = TextBox1.Text.Trim().ToString();
Why are you calling ToString() method on something which already is a string?

2 solutions

What is that quote doing in there?
sb.AppendFormat("( Convert (ID, 'System.String) LIKE '" + " {0} " + "')", strTextBox1);
                                ^
                                |
It has no matching quote...
Add to that, whoever wrote teh code you don;t understand is ... um ... an idiot.
It can be simplified first to this:
sb.AppendFormat("( Convert (ID, System.String) LIKE ' {0} ')", strTextBox1);
which is a lot more readable (and the same for your second string) or more modernly like this:
sb.AppendFormat($"( Convert (ID, System.String) LIKE ' {strTextBox1} ')");
But... if that is going anywhere near SQL, then don't do that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
And secondly, comparing numbers as strings is a very poor idea as string comparisons work by comparing the first different pair of characters in the two strings: so teh sort order is 
1
10
11
12
...
19
2
20
21
...
Not the order you'd expect.
I'd wonder about the competence of whoever created the YouTube video - but that's no surprise most of 'em are created by people who know nothing about creating videos, and even less about the subject they are covering ...
 
Share this answer
 
Posted
Comments
Rob Philpott 30-Jan-20 7:27am    
It's a bit odd isn't it? Can't see it going near SQL because that doesn't know about System.String (unless it's some weird managed extension), and wildcard matching is done using % not *. Some sort of DataSet maybe. I have no idea.

But the quote mismatch is most probably it I'd have thought.
OriginalGriff 30-Jan-20 7:29am    
I'm guessing it's going to be a filter string to a DGV or something, but ... with YouTube it could be *anything*: it doesn't have to work to get subscribers, and that's what they are after.
C#
string strTextBox1 = TextBox1.Text.Trim().ToString();
StringBuilder sb = new StringBuilder();
sb.AppendFormat("( Convert (ID, 'System.String) LIKE '" + " {0} " + "')", strTextBox1);
sb.AppendFormat("OR(FacilityName LIKE '*" + "{0}" + "*')", strTextBox1);

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]

Advice: when you compose a query that don't work, first print the resulting query that you send to server, it can help to see where is the syntax error.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
got Syntax error: Missing operand after 'No' operator.
Syntax error: Missing operand after '12' operator.
C# -syntax error: missing operand after 'TAG' operator.
Syntax Error: Missing operand after WHERE operator
Missing operand before '&' operator.
Syntax error: missing operand after 'I' operator VB.NET
Syntax error: Missing operand after '_Batch_Tag1 ' operator.
Syntax Error: Missing operand after 'classes' operator
Error Missing Operand
missing operand error

Advertise
Privacy
Cookies
Terms of Use
Last Updated 4 Feb 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900