Blank spaces in mysql using c#

Question

5.00/5 (1 vote)

See more:

C#

MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where 'Extra2 value'='" + s.Text + "'", myConn);

Hello,

I ma trying to select value from mysql table unfortunately my columns names have got spaces and if I use '' output to data grid is 0 could you let me know please how to solve this issue tried to use [] as well and it did not work :(

sorry for my english and thank you for any help

Posted 15-Apr-15 1:44am

SyAndroidDog

Add a Solution

3 solutions

Solution 1

kindly rename the column and use preceding below query

MySqlCommand SelectCommand = new MySqlCommand("select * from partsfinder.blancco where Extra2value='" + s.Text + "'", myConn)

Posted 15-Apr-15 2:58am

upendra shahi

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter Leow · Accepted Answer · 2015-04-15T03:10:00

Solution 2

Use back tick

instead of single quote

to enclose the column name.
BTW, you should not inject parameters directly into the sql statement as it is opened to SQL Injection[^].

Posted 15-Apr-15 3:10am

Peter Leow

Comments

Sergey Alexandrovich Kryukov 15-Apr-15 10:10am

Did you notice that, in the effort to mitigate SQL injection attack via parametrized statements, which you did not explain, the problem with any characters in the string data will also go? So, the first part of your advice, being formally correct, won't be needed... Please see Solution 3...
—SA

Sergey Alexandrovich Kryukov · Accepted Answer · 2015-04-15T03:10:00

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

And now — drums… using parametrized statements will also solve the "problem" of blanks spaces in data, as well as any other characters confusing your use of SQL syntax. :-)

—SA