Click here to Skip to main content
15,040,212 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
C#
MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where 'Extra2 value'='" + s.Text + "'", myConn);



Hello,

I ma trying to select value from mysql table unfortunately my columns names have got spaces and if I use '' output to data grid is 0 could you let me know please how to solve this issue tried to use [] as well and it did not work :(

sorry for my english and thank you for any help
Posted

Use back tick
`

instead of single quote
' 

to enclose the column name.
BTW, you should not inject parameters directly into the sql statement as it is opened to SQL Injection[^].
   
Comments
Sergey Alexandrovich Kryukov 15-Apr-15 10:10am
   
Did you notice that, in the effort to mitigate SQL injection attack via parametrized statements, which you did not explain, the problem with any characters in the string data will also go? So, the first part of your advice, being formally correct, won't be needed... Please see Solution 3...
—SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

And now — drums… using parametrized statements will also solve the "problem" of blanks spaces in data, as well as any other characters confusing your use of SQL syntax. :-)

—SA
   
Comments
SyAndroidDog 15-Apr-15 9:41am
   
thank you very much I think I will have some reading to do tonight :)
Sergey Alexandrovich Kryukov 15-Apr-15 10:08am
   
Good idea.

You are very welcome.
Good luck, call again.

—SA
kindly rename the column and use preceding below query

MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where Extra2value='" + s.Text + "'", myConn)
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900