Click here to Skip to main content
15,070,904 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
This code is not working. when i debug the code line by line facing issue of conversion. system show error "Conversion of varchar to datetime is over range (something like that)".

What I have tried:

public DataTable GetAllSessionForDoctor(DateTime dtsession, long locationId)
      {
          SqlCommand cmd = new SqlCommand();
          SqlConnection con = new SqlConnection(Properties.Settings.Default.HMSCon);
          string str = "SELECT  tblEmployee.Employeeid, tblEmployee.EmployeeName + ' ' + tblEmployee.MiddleName + ' ' + tblEmployee.LastName AS [Doctor Name] " +
               " FROM tbluserType INNER JOIN tblEmployee ON tbluserType.utid = tblEmployee.type INNER JOIN " +
               " sessionDoctor ON tblEmployee.Employeeid = sessionDoctor.doctorID INNER JOIN sessionOPD ON sessionDoctor.sessionID = sessionOPD.sessionId INNER JOIN " +
               " tblDoctorCategory ON sessionDoctor.doctorID = tblDoctorCategory.doctorId WHERE (sessionOPD.sessionDate = '" + dtsession + "') AND (tblEmployee.LocationId = " + locationId + ") AND (tbluserType.CEP = 'true') and (tblemployee.EndJob = 'false')";

          SqlDataAdapter da = new SqlDataAdapter(str, con);
          DataTable dt = new DataTable();
          try
          {
              con.Open();
              da.Fill(dt);
              //MessageBox.Show(dt.ToString());
          }
          catch (Exception ex)
          {
              throw new Exception(ex.Message);
          }
          finally
          {
              con.Close();
          }
          return dt;
          //MessageBox.Show(dt.ToString());
      }
Posted
Updated 13-Oct-18 2:32am
Comments
F-ES Sitecore 13-Oct-18 8:36am
   
Use parameterised queries rather than using string concatenation to build your query. That alone might make the problem go away.

To preempt your next question, google "c# ado.net paramterised query" to find out how to do this.
Member 13922470 13-Oct-18 8:51am
   
Thank you for you response but first thing this code is already make by someone else. i am working on someone else code so i can't do DROP and DELETE. please give me some other solution. Thanks again in advance
F-ES Sitecore 13-Oct-18 8:56am
   
You don't have to modify the database at all, just update the code.
Member 13922470 13-Oct-18 9:02am
   
so what's the best option to solve this problem sir?
F-ES Sitecore 13-Oct-18 9:15am
   
Myself and OriginalGriff have both already told you...use parameterised queries rather than building the SQL statement as a single string.
Richard Deeming 16-Oct-18 12:24pm
   
const string str = "SELECT  tblEmployee.Employeeid, tblEmployee.EmployeeName + ' ' + tblEmployee.MiddleName + ' ' + tblEmployee.LastName AS [Doctor Name] " +
    " FROM tbluserType INNER JOIN tblEmployee ON tbluserType.utid = tblEmployee.type INNER JOIN " +
    " sessionDoctor ON tblEmployee.Employeeid = sessionDoctor.doctorID INNER JOIN sessionOPD ON sessionDoctor.sessionID = sessionOPD.sessionId INNER JOIN " +
    " tblDoctorCategory ON sessionDoctor.doctorID = tblDoctorCategory.doctorId WHERE (sessionOPD.sessionDate = @dtsession) AND (tblEmployee.LocationId = @locationId) AND (tbluserType.CEP = 'true') and (tblemployee.EndJob = 'false')";

SqlDataAdapter da = new SqlDataAdapter(str, con);
da.SelectCommand.Parameters.AddWithValue("@dtsession", dtsession);
da.SelectCommand.Parameters.AddWithValue("@locationId", locationId);

1 solution

Do not do things like that. Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Fix the whole of your app before you even think about this problem, and almost certainly you will find that your problem has gone at the same time!
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900