Resolved Value from Textbox in SQL Query

tdignan87

Well-known member
Joined
Jul 8, 2019
Messages
95
Programming Experience
Beginner
Hi Guys,
Hope someone can help me out here.

I have this query here that works OK if i hardcode the value from the textbox into the query, otherwise i get this error? Here is the code. Any ideas?

This works perfect
C#:
  String delete_jobs = db.Query<String>("UPDATE CONFIGD SET CONFIGD.KEYVALUE = " + valueTxtBox.Text + " WHERE CONFIGD.KEYNAME = 'DisplayMixSize' and CONFIGD.SECTIONNAME = 'ProcessOptions' ").FirstOrDefault();

if i remove the 'DisplayMixSize' as that should be value in textbox the code breaks,

This breaks
C#:
String delete_jobs = db.Query<String>("UPDATE CONFIGD SET CONFIGD.KEYVALUE = " + valueTxtBox.Text + " WHERE CONFIGD.KEYNAME = " + keyNameTxtBox.Text + " and CONFIGD.SECTIONNAME = 'ProcessOptions' ").FirstOrDefault();

1595332386488.png


Added a breakpoint and the value is in the Txtbox

1595332485904.png
 
Notice that you dropped the single quotes around the text box value. Your first code would have the single quotes around 'DisplayMixSize', while your second code does not.

A lot of this problem could be avoided if you actually use parameterized queries. It would take care of putting quotes where needed. With you currently concatenating strings to build up your query, especially if you not sanitizing your inputs from the textbox, you are opening yourself up to a SQL injection attack. Please see: The Right Way To Query A Database: Parameterizing Your SQL Queries. - C# Tutorials | Dream.In.Code

I will leave the obligatory SQL injection attack cartoon to help imprint the idea of using parameterized queries:
exploits_of_a_mom.png
 
Yeah added single quotes and it worked,
I normally use parameterised queries and will change to this practice. Thank you as normal :)
 
The error seems to be complaining about a column which is unknown. Double check your spelling of your tables fields, and you really shouldn't be concatenating into your statements like that, as it leaves you wide open to SQL injection attacks.

Looks like Skydiver beat me to the main point.
 
Back
Top Bottom