Click here to Skip to main content
14,267,806 members
Rate this:
Please Sign up or sign in to vote.
See more:
What is the mistake in that code
I need to select from specific table using two fileds together using (And) (&)
Select from table where filed1 and filed 2 and filed 3 = condition1, condition 2, condition 3
Any one can help

What I have tried:

string sQry = "SELECT * FROM Conductors where Type =('"+Convert.ToString(comboBox1.SelectedItem)+"') and Shape = ('" + Convert.ToString(comboBox2.SelectedItem) + "'),";
Posted
Updated 6-Jul-19 3:31am
Rate this:
Please Sign up or sign in to vote.

Solution 1

The biggest mistake is to build an SQL statement directly with user input.
Use always parametrized queries to avoid SQL Injection.
Note: For your code at the moment this is not that critical, because you are using the combobox index.

The mistake in your case is, that you join the strings wrong. To make string joining more readable I suggest to use so called string interpolation:
string sQry = $"SELECT * FROM Conductors where Type = '{comboBox1.SelectedItem.ToString()}' and Shape = '{comboBox2.SelectedItem.ToString()}'" ... etc;


Again: Do not build sql statements directly from user input.

Please see also Solution 2 from @SLFC-Mike, which describes a lot much more in details
I hope it helps.
   
v6
Comments
MadMyche 6-Jul-19 9:44am
   
+5 for simply typing faster than I
0x01AA 6-Jul-19 9:55am
   
No no, you describe all the things much more in details and much more better than me *thumbs up*
MadMyche 6-Jul-19 10:36am
   
... but you used the fancy string.interpolation
Rate this:
Please Sign up or sign in to vote.

Solution 2

There are most likely multiple errors in your statement.

The main issue I see is a major vulnerability known as SQL Injection. You should NEVER EVER piece user entered data asstrings together to form a SQL statement. The proper way to add variables into a command is via Parameters
string sQry = "SELECT * FROM Conductors WHERE Type = @Type AND Shape = @Shape";

SqlCommand cmd = new SqlCommand(sQry, {SqlConnection});
cmd.Parameters.AddWithValue("@Type", Convert.ToString(comboBox1.SelectedItem));
cmd.Parameters.AddWithValue("@Shape", Convert.ToString(comboBox2.SelectedItem));
The next thing to look at is your syntax; normally if you were going to wrap your conditions in parenthesis it would be around the whole comparison and not just the term, or; you can omit them on rather simple clauses
-- yours (translated)
SELECT * FROM Conductors WHERE Type =('TypeValue') AND Shape = ('ShapeValue')

-- preferred
SELECT * FROM Conductors WHERE (Type = 'TypeValue') AND (Shape = 'ShapeValue')
-- without parenthesis
SELECT * FROM Conductors WHERE Type ='TypeValue' AND Shape = 'ShapeValue'
And the last thing to look at is the terms that are being used; it looks like some of the column names in use may be classified as reserved or special; in which case they should be delineated as such to specify this as a column name (or other SQL Object as needed). The rule I use to determine this is if I type it into SQL Studio and the color changes then it should get wrapped. If you look at these code samples you will see that Type has been highlighted. In SQL Server you would wrap the term in [square brackets].
SELECT * FROM Conductors WHERE [Type] ='TypeValue' AND [Shape] = 'ShapeValue'
   
Comments
0x01AA 6-Jul-19 9:33am
   
+5

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100