2

I am writing a code and getting a syntax error that I dont know from where that comes. This is the code I am using:

string u = "select uniqcode from login where users='" + textBoxX1.Text + "' ";

and this is the error I am getting:

"Syntax error (missing operator) in query expression ''select uniqcode from login where users='someuser' ''." (System.Data.OleDb.OleDbException)A System.Data.OleDb.OleDbException was thrown: "Syntax error (missing operator) in query expression ''select uniqcode from login where users='someuser' ''."

Improve this question
12
  • 14
    You should bind parameters instead of concatenating SQL string, because user can write in textbox sth like '; DROP TABLE ... ;-- Commented Sep 18, 2015 at 10:21
  • Why is the column users plural? Do you store multiple users comma separated?? Commented Sep 18, 2015 at 10:22
  • what do you mean?! would you please elaborate it more ?! Commented Sep 18, 2015 at 10:22
  • 5
    SQL Parameters(OLEDB): msdn.microsoft.com/en-us/library/… Commented Sep 18, 2015 at 10:24
  • 2
    @AfshinHaghighat Did you try something u = "select uniqcode from login where users=?"; and then u.Parameters.Add("@users", OleDbType.VarChar).value = textBoxX1.Text; Commented Sep 18, 2015 at 10:32

4 Answers 4

Reset to default
1

It might be possible that textbox text is containing single quote ('). If yes then replace single quote (') by two single quotes ('')

Otherwise, try to execute it using sql parameters.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

No, it the textbox' value doesn't contain any quotes as you can see from the OP's description: select uniqcode from login where users='someuser' . The quotes are part of the query... I think this should be rather a comment than an answer as it won't help the OP. You tell him to use SQL Parameters; then show a short example as he obviously has no clue how to use them.
0 
string u = "select login.uniqcode from [login] where users='" + textBoxX1.Text.Trim() + "'";
Improve this answer

2 Comments

still the same error {"Syntax error (missing operator) in query expression ''select login.uniqcode from [login] where users='someuser'''."}
@AfshinHaghighat if you will post complete code then it will be easy to figure out the problem..
0

Since your error represent that you are using OleDb connection then you may use following code. This will avoid SQL Injection as well. However you may need to work a bit to following piece into your code. 

u = "select uniqcode from login where users=?"; 

u.Parameters.Add("@users", OleDbType.VarChar).value = textBoxX1.Text;

You may see examples here and here

Improve this answer

2 Comments

Error 1 'string' does not contain a definition for 'Parameters' and no extension method 'Parameters' accepting a first argument of type 'string' could be found
@AfshinHaghighat Ofcourse it won't work. I wrote it as well that you would need to work a bit with my code.. and on comments section.. I asked you to show your more code so that we can help.. Can you show more code around this line?
0

You need to firstly read and understand there are SQL syntax limitations in OleDB.

"A single quote must be escaped with another single quote."

But really, forget single quotes.

Read more about using OleDB here. It's ancient technology anyway, so I would get away from OleDB and have your database ported over to SQL Server or MySQL.

However, what you may need is something like this...

try
{
    connw.Open();
    OleDbCommand command;
    command = new OleDbCommand(
        "SELECT *" +
        "FROM tableA WHERE Deliveries.EmployeeID = ?, Deliveries.FIN = ?, Deliveries.TodaysOrders = ? , connw);
    command.Parameters.Add(new OleDbParameter("@EMPID", Convert.ToDecimal(empsplitIt[1])));
    command.Parameters.Add(new OleDbParameter("@FIN", truckSplit[1].ToString()));
    command.Parameters.Add(new OleDbParameter("@TodaysOrder", "R"));
    catchReturnedRows = command.ExecuteNonQuery();//Commit   
    connw.Close();

}
catch (OleDbException exception)
{
    MessageBox.Show(exception.Message, "OleDb Exception");
}

Golden rule of database coding, is never pass a variable directly into the SQL statement like you've done above. That is opening yourself for SQL Injection big time.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.