Datalist error again

  • Thread starter Thread starter Dharmen
  • Start date Start date
D

Dharmen

Hey Guys,
I know some of u guys tried to help me but it didnt work....
I have a SQL Database from which im trying to display some data!
I'm using this SqlCommand:
SqlCommand sqlCmd2 =new SqlCommand("SELECT x FROM ytable WHERE
z="+this.ddList1.SelectedItem.Text.ToString(),conn);

It reads the selected item properly but gimes me an eror saying, Invalid
coulmn name "xyz";

xyz is one of the values for z which was selected from
this.ddList1.SelectedItem.Text.ToString();

Please help me thanks!
 
Dharmen,

The syntax of the command is wrong. If you are trying to select a
value, then you need to wrap it in quotes, like so:

select x from ytable where z = 'xyz'

Notice the quotes. However, appending the string as you have it there
is a very, very bad thing, as it opens you up to sql injection attacks.
Your best bet would be to use a parameterized query, like so:

"select x from ytable where z = @zvalue

And then call the appropriate methods to create a parameter, and set the
value. You can do it like this.

// Create the parameter. pobjCommand has the sql command.
// This assumes the column is of type char, and of length 10.
SqlParameter pobjParam = new SqlParameter("@zvalue", SqlDbType.Char, 10);

// Set the value on the parameter.
pobjParam.Value = "xyz";

// Now add to the command.
pobjCommand.Parameters.Add(pobjParam);

Then you can execute normally.

Hope this helps.
 
Thanks Nicholas!
Do u have MSN Messenger? please email it to (e-mail address removed) I really
would love to get some live chat help.
Thanks...

Nicholas Paldino said:
Dharmen,

The syntax of the command is wrong. If you are trying to select a
value, then you need to wrap it in quotes, like so:

select x from ytable where z = 'xyz'

Notice the quotes. However, appending the string as you have it there
is a very, very bad thing, as it opens you up to sql injection attacks.
Your best bet would be to use a parameterized query, like so:

"select x from ytable where z = @zvalue

And then call the appropriate methods to create a parameter, and set the
value. You can do it like this.

// Create the parameter. pobjCommand has the sql command.
// This assumes the column is of type char, and of length 10.
SqlParameter pobjParam = new SqlParameter("@zvalue", SqlDbType.Char, 10);

// Set the value on the parameter.
pobjParam.Value = "xyz";

// Now add to the command.
pobjCommand.Parameters.Add(pobjParam);

Then you can execute normally.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Dharmen said:
Hey Guys,
I know some of u guys tried to help me but it didnt work....
I have a SQL Database from which im trying to display some data!
I'm using this SqlCommand:
SqlCommand sqlCmd2 =new SqlCommand("SELECT x FROM ytable WHERE
z="+this.ddList1.SelectedItem.Text.ToString(),conn);

It reads the selected item properly but gimes me an eror saying, Invalid
coulmn name "xyz";

xyz is one of the values for z which was selected from
this.ddList1.SelectedItem.Text.ToString();

Please help me thanks!
Click to expand...
Click to expand...
 
Dharmen,

I tried to message you, but you were not on. =) Feel free to email me
with anymore questions (or post, if you wish).

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Dharmen said:
Thanks Nicholas!
Do u have MSN Messenger? please email it to (e-mail address removed) I really
would love to get some live chat help.
Thanks...

message news:eZM#[email protected]...
Dharmen,

The syntax of the command is wrong. If you are trying to select a
value, then you need to wrap it in quotes, like so:

select x from ytable where z = 'xyz'

Notice the quotes. However, appending the string as you have it there
is a very, very bad thing, as it opens you up to sql injection attacks.
Your best bet would be to use a parameterized query, like so:

"select x from ytable where z = @zvalue

And then call the appropriate methods to create a parameter, and set the
value. You can do it like this.

// Create the parameter. pobjCommand has the sql command.
// This assumes the column is of type char, and of length 10.
SqlParameter pobjParam = new SqlParameter("@zvalue", SqlDbType.Char, 10);

// Set the value on the parameter.
pobjParam.Value = "xyz";

// Now add to the command.
pobjCommand.Parameters.Add(pobjParam);

Then you can execute normally.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Dharmen said:
Hey Guys,
I know some of u guys tried to help me but it didnt work....
I have a SQL Database from which im trying to display some data!
I'm using this SqlCommand:
SqlCommand sqlCmd2 =new SqlCommand("SELECT x FROM ytable WHERE
z="+this.ddList1.SelectedItem.Text.ToString(),conn);

It reads the selected item properly but gimes me an eror saying, Invalid
coulmn name "xyz";

xyz is one of the values for z which was selected from
this.ddList1.SelectedItem.Text.ToString();

Please help me thanks!
Click to expand...
Click to expand...
Click to expand...
 
Hey Nicholas,
hat was not my msn ID...I just wanted u to mail ur ID to that address so i
can add it on....I didnt wanna post my msn here thats y....
thanks

Nicholas Paldino said:
Dharmen,

I tried to message you, but you were not on. =) Feel free to email me
with anymore questions (or post, if you wish).

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Dharmen said:
Thanks Nicholas!
Do u have MSN Messenger? please email it to (e-mail address removed) I really
would love to get some live chat help.
Thanks...

message news:eZM#[email protected]...
Dharmen,

The syntax of the command is wrong. If you are trying to select a
value, then you need to wrap it in quotes, like so:

select x from ytable where z = 'xyz'

Notice the quotes. However, appending the string as you have it there
is a very, very bad thing, as it opens you up to sql injection attacks.
Your best bet would be to use a parameterized query, like so:

"select x from ytable where z = @zvalue

And then call the appropriate methods to create a parameter, and
Click to expand...
set
the
value. You can do it like this.

// Create the parameter. pobjCommand has the sql command.
// This assumes the column is of type char, and of length 10.
SqlParameter pobjParam = new SqlParameter("@zvalue", SqlDbType.Char, 10);

// Set the value on the parameter.
pobjParam.Value = "xyz";

// Now add to the command.
pobjCommand.Parameters.Add(pobjParam);

Then you can execute normally.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Hey Guys,
I know some of u guys tried to help me but it didnt work....
I have a SQL Database from which im trying to display some data!
I'm using this SqlCommand:
SqlCommand sqlCmd2 =new SqlCommand("SELECT x FROM ytable WHERE
z="+this.ddList1.SelectedItem.Text.ToString(),conn);

It reads the selected item properly but gimes me an eror saying, Invalid
coulmn name "xyz";

xyz is one of the values for z which was selected from
this.ddList1.SelectedItem.Text.ToString();

Please help me thanks!
Click to expand...
Click to expand...
Click to expand...
 
Back
Top