Query string in SQL command C#

Question

0.00/5 (No votes)

See more:

DetailPage:

C#

string qid = Page.RouteData.Values["id"].ToString();

C#

string cs = ConfigurationManager.ConnectionStrings["cs"].ToString();
       SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= + qid");
       SqlConnection con = new SqlConnection(cs);
       cmd.CommandType = CommandType.Text;
       con.Open();
       SqlDataReader dr = cmd.ExecuteReader();
       while (dr.Read())
       {
           this.lblname.Text = (dr["name"].ToString());
           this.lblfamily.Text = (dr["family"].ToString());
       }
       cmd.Dispose();
       con.Close();
       con.Dispose();

What I have tried:

excuse me for my bad English , i hope to be understood
I want call(Sqlcommand)
) value as id (querystring)

Posted 26-Nov-16 10:05am

Aiza Pro

Updated 27-Nov-16 0:53am

Add a Solution

Comments

PIEBALDconsult 26-Nov-16 16:10pm

Please study up on parameterized statements. Do not use string concatenation to form an SQL statement.

Aiza Pro 27-Nov-16 4:45am

.I sent a query parameter as my ID. But my problem is not resolved.I'm sending the wrong parameters?
Sorry for my bad English

Patrice T 27-Nov-16 0:56am

What is the question ?

Aiza Pro 27-Nov-16 4:45am

.I sent a query parameter as my ID. But my problem is not resolved.I'm sending the wrong parameters?
Sorry for my bad English

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter Leow · Accepted Answer · 2016-11-26T17:21:00

Solution 1

Learn to do the right thing right: Give me parameterized SQL, or give me death[^]

Posted 26-Nov-16 17:21pm

Peter Leow

Comments

Aiza Pro 27-Nov-16 4:39am

thank.I sent a query parameter as my ID. but ..
Additional information: ExecuteReader: Connection property has not been initialized.

string qid = Request.QueryString["id"];
lblid.Text = qid;

string cs = ConfigurationManager.ConnectionStrings["cs"].ToString();
SqlCommand cmd = new SqlCommand
("SELECT [name], [family], [path] from [tbl_t] WHERE id=@id");
cmd.Parameters.Add(new SqlParameter("id", qid));
SqlConnection con = new SqlConnection(cs);
cmd.CommandType = CommandType.Text;
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
this.lblname.Text = (dr["name"].ToString());
this.lblfamily.Text = (dr["family"].ToString());
}
cmd.Dispose();
con.Close();
con.Dispose();

Peter Leow 27-Nov-16 7:07am

The cmd object is not initialized with the connection. See https://www.dotnetperls.com/sqlcommand or
https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqldatareader(v=vs.110).aspx for examples.

Patrice T · Accepted Answer · 2016-11-26T23:25:00

Guessing that qid is your parameter, you need to replace:

C#

SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= + qid");

with

C#

SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= "+ qid);

or

C#

SqlCommand cmd = new SqlCommand("SELECT [name], [family], [path] from [tbl_t] WHERE id= '+ qid+"'");

depending on value of qid
Pay attention to the quote at the end.

The way you build the query is dangerous and open door to SQL injection.
SQL Injection[^]
SQL injection - Wikipedia[^]

Wendelius · Accepted Answer · 2016-11-27T00:53:00

One thing that is already pointed out, is the parameterization. This would keep you safe from SQL injections and help with conversions.

What hasn't yet been mentioned is the use of using statement and try blocks. Both are critical to ensure that your objects are properly disposed even if an exception is encountered and that you handle exceptions properly.

For more information, have a look at Properly executing database operations[^]

Query string in SQL command C#

3 solutions

Solution 1

Solution 2

Solution 3

Add your solution here

Preview 0