i am having this error when running my application:
The name "DHR32S" is not permitted in this context. Valid expressions
are constants, constant expressions, and (in some contexts) variables.
Column names are not permitted.
here is my code:
c2.command("insert into haraki_item values(" + iddd + ",'Selling Facture','" + itemid + "','" + name + "'," + lasttotal + "," + balancee + ",'" + date + "')");
"DHR32S" is the itemid
You SHOULD always use parameters, for lot of reasons. Here you are missing quotes around concatenated values.
values(" + iddd + ", //<--you are missing quotes around idd
Try with parameters:
c2.command("insert into haraki_item values(#iddd ,#SellingFacture,#itemid ...
command.Parameters.AddWithValue(#iddd,iddd);
command.Parameters.AddWithValue(#SellingFacture,SellingFacture);
....
Related
I'm trying to run this code from the ASP.Net code:
string strupdate = "Insert into registers(user, module, event_type)" +
"values (" +
"'" + user + "'," +
"'" + event + "'," +
"'" + source + "');";
/* connSQL it's the ODBC connection type: System.Data.Odbc.OdbcConnection */
connSQL.ExecuteNonQuery();
The query results into the following:
Insert into registers(user, module, event_type)values('user01','message','control');
Running this query from psql works perfectly fine, but running from the web returns the ODBC 07002 error with the following message: The # of binded parameters < the # of parameter markers
There is a typo in the "'" + event + "," + code, it should be "'" + event + "'," +.
i.e., ending single quote was missed in the second parameter value.
Note: Your code is possible for SQL Injection attack. Please convert the code with parameterised values.
I am completely confused by SQLite right now.
I use the System.Data.SQLite Version for C#
I have two Tables:
Table 1:
In it I have created two columns (more but they are the important in this case and the statement is way to long to post it). The first one is called RecStat and the second one DOXinM.
Both are a Decimal and are created like this:
...
[RectStat] Decimal,
[DOXinM] Decimal,
...
The Create Table statement looks like this:
Create Table If Not Exists "Table1"
(..Columns..);
When I insert a value in this table the decimal works perfectly fine and when I read it out it works too on the xaml GUI.
After that I created a second Table which also has a Decimal Column.
I Created the table the same way (this is a short one, So i can give the whole statement)
Create Table If Not Exists "Table2" (
[ID] Integer Not Null Primary Key,
[Material] VarChar(10],
[Thickness] Decimal);
C# Code for the creation (Note that I work with a const string for all SQL Commands):
mySQLiteCommand.CommandText = #"" + DatabasePara.CREATE_SQL + " " + DatabasePara.TABLE_SQL + " " + DatabasePara.IF_SQL + " " + DatabasePara.NOT_SQL + " " + DatabasePara.EXISTS_SQL + " " + DBTableFilter.Filter + "
mySQLiteCommand.CommandText += #"([" + DBTableFilter.ID + "] " + DatabasePara.INTEGER_SQL + " " + DatabasePara.NOT_SQL + " " + DatabasePara.NULL_SQL + " " + DatabasePara.PRIMARYKEY_SQL + ", ";
mySQLiteCommand.CommandText += #"[" + DBTableFilter.Material + "] " + DatabasePara.VARCHAR_SQL + "(360), ";
mySQLiteCommand.CommandText += #"[" + DBTableFilter.Thickness + "] " + DatabasePara.DECIMAL_SQL + ");";
mySQLiteCommand.ExecuteNonQuery();
In both case I do the same insert for the Decimal Column:
Insert into Table1 ('RectStat') values ('10.5');
Insert into Table1 ('DOXinM') values ('1.3');
Insert into Table2 ('Thickness') values ('0.25');
For the Table2 Insert:
for (int FilterIndex = 0; FilterIndex < Database.FilterTable.FilterList.Count; FilterIndex++)
{
mySQLiteCommand.CommandText = #"" + DatabasePara.INSERTINTO_SQL + " " + DBTableFilter.Filter + "(" + DBTableFilter.Material + ", " + DBTableFilter.Thickness + ") ";
mySQLiteCommand.CommandText += #"" + DatabasePara.VALUES_SQL + " ('" + Database.FilterTable.GetFilterAt(FilterIndex).Material_Property + "', " + Database.FilterTable.GetFilterAt(FilterIndex).Thickness_Property + ");";
mySQLiteCommand.ExecuteNonQuery();
}
Now the Database inserts the first two Statements as 10.5/1.3 and the last one as 0,25
When I read out the value the first two works perfectly fine but the last one is shown without the numbers after the decimal "point".
So my question is.
Why does this happens?
(Btw I have more than 20 Decimals columns in my table and the "Thickness" is the only one with this problem)
I hope you can help me.
Thanks in Advance
Richard
What I have tried:
Tried different Values (Had the hope that it was because of the 0.25)
Tried it without the ''. But than the statement thought it had three values for two columns...
First of all, you should use parameterized queries. They will get rid of conversion problems and prevent sql injection. Most likely your issues are created by the fact, that your type of query creation calls decimal.ToString() implicitly. For certain locales, this replaces the . with a , which leads to a syntax error.
var query = "INSERT INTO yourtable COLUMNS(col1, col2, col3) VALUES(#p1, #p2, #p3)";
var cmd = new SQLiteCommand(query, connection);
cmd.Parameters.AddWithValue("#p1", 1);
cmd.Parameters.AddWithValue("#p2", 2.2);
cmd.Parameters.AddWithValue("#p3", "three");
cmd.ExecuteNonQuery();
This will, among other things, send the decimals to your server in a correct format, and also take care of possible ' quotes in your string literals and prevent sql injection, thus making your code more secure.
I am reworking legacy code and came to this query:
sqlDS.InsertCommand = "INSERT INTO SCHEMA.TABLE " +
"(ID, DATUM, ID_STATE, G_AM, G_VON, DATUM_BEW) " +
"VALUES (" + ((strukturen.Login)Session["svar_bew"]).ID_Bew.ToString() +
", TO_DATE('" + _datum + "', 'DD.MM.YYYY HH24:MI:SS'), 2, TO_DATE('" + lbl_bew.Text +
"', 'DD.MM.YYYY'), 'ID" + ((strukturen.Login)Session["svar_bew"]).ID_Bew.ToString() +
"', TO_DATE('" + _datum + "', 'DD.MM.YYYY HH24:MI:SS'))";
Which works, but I want this abomination rewritten into a paramerterized format, for obious reasons.
Now this is my progress so far:
sqlDS.InsertCommand = "INSERT INTO SCHEMA.TABLE (ID, DATUM, ID_STATE, G_AM, G_VON, DATUM_BEW) " +
"VALUES (:Id_Bew, TO_DATE(':Datum', 'DD.MM.YYYY HH24:MI:SS'), 2, TO_DATE(':BewAm', 'DD.MM.YYYY'), 'ID' || :Id_Bew, TO_DATE(':Datum', 'DD.MM.YYYY HH24:MI:SS'))";
sqlDS.InsertParameters.Add("Id_Bew", ((strukturen.Login)Session["svar_bew"]).ID_Bew.ToString());
sqlDS.InsertParameters.Add("Datum", _datum);
sqlDS.InsertParameters.Add("BewAm", lbl_bew.Text);
This is the table in question:
COLUMN | TYPE
-----------------------
ID | NUMBER
DATUM | DATE
/* Columns | ommited */
ID_STATE | NUMBER
G_AM | DATE
G_VON | CHAR(10 BYTE)
DATUM_BEW | DATE
The variables follow no fixed schema yet, so they were declared in German, never mind that in this case.
The problem is, that this new code now throws an ORA-01036 an I suspect that it is at this location:
'ID" + ((strukturen.Login)Session["svar_bew"]).ID_Bew.ToString() --> 'ID' || :Id_Bew
In the original SQL query the string "ID" is concatinated with an numeric ID which is pulled out of a session variable. My suspicion is, that I concatinated it the wrong way in my paramerterized query and botched up the syntax.
Question is: How can I resolve this error and bring this insert command into a proper format?
Bind Variables Should be defined without embedding in single quotes.
':bind_variable' ---> Wrong (Treated as plain string instead)
:bind_variable ---> Right
So, When you attempted to add a bind parameter, it threw ORA-01036: illegal variable name/number
sqlDS.InsertCommand = "INSERT INTO SCHEMA.TABLE (ID, DATUM, ID_STATE, G_AM, G_VON, DATUM_BEW) " +
"VALUES (:Id_Bew, TO_DATE(:Datum, 'DD.MM.YYYY HH24:MI:SS'), 2, TO_DATE(:BewAm, 'DD.MM.YYYY'), 'ID' || :Id_Bew, TO_DATE(:Datum, 'DD.MM.YYYY HH24:MI:SS'))";
sqlDS.InsertParameters.Add("Id_Bew", ((strukturen.Login)Session["svar_bew"]).ID_Bew.ToString());
sqlDS.InsertParameters.Add("Datum", _datum);
sqlDS.InsertParameters.Add("BewAm", lbl_bew.Text);
There thousands of calls to log4net in the application which were done with the style of string concatenation instead of using string format like "{0} is greater then {1}".
So we wrote a program that will parse all the .cs files using Regex to find the log4net logging statements. It extracts the code between the parentheses () and then calls a method to reformat it and return the results. Then it rewrites the source code file.
This question relates to the method that reformats the log statement.
It receives an argument of string and returns string.
Here's a sample of the log statements:
"Column " + column + " Seq Cnt: " + sequentialCount + ": Seq Avg: " + (sequentialTotal / sequentialCount)
"Opening file for writing copy protection failed. Retrying.", ex
"for assert " + value.ToString("X")
"ExpirationTime()"
"count = " + count + ", round << " + count + " = " + (round << count)
"Total Diff Bytes = " + (7*count)
(series.Count - i - 1) + " " + series.Time[i] + " O,H,L,C:" + series.Open[i].ToDouble() + "," +
series.High[i].ToDouble() + "," +
series.Low[i].ToDouble() + "," +
series.Close[i].ToDouble()
"Recovered orders from snapshot: \n" + OrderStore.OrdersToString()
Essentially, it seems that the plan should be to use Regex.Replace() with a MatchEvaluator.
What is the correct Regex expression for the Regex.Replace?
These seem to be the requirements:
Essentially find each interruption in the string "\s*+\s*(.*)\s+" (over simplified).
Replace each match with a token of the form {0} in the string and then put the specified value as an argument to the method.
Debug methods of the form log.Debug("message",ex) which have a reference to an exception must be identified and skipped.
Of course, the code will switch the calls to DebugFormat() InfoFormat() and so on.
The problem with the above Regex is that it matches this as the first match:
" + column + " Seq Cnt: " + sequentialCount + "
instead of:
" + column + "
I can't simply use ([^"]) instead of (.) or ([^+]*) since some of the values have additional plus or use quotes as arguments to methods.
So it needs some way to say match all characters except if the match the pattern \s+\s" which means plus sign followed by a quote separated by optional white space.
You can make the quantifier lazy. For example:
"\s*\+\s*(\S.*?)\s*\+\s*"
When I update a field in my MySQL database, it always adds a whitespace to the value.
I tried to remove the whitespace with the trim-command and the replace-command. Neither of them worked. So I expect that it isn't a whitespace but some vague ASCII character. These are the commands I used:
this.foo = result.GetValue(0).ToString().Trim();
this.bar = result.GetValue(0).ToString().Replace(" ","");
The field it updates is a VARCHAR(xx). This is my MySQL update command:
MySqlCommand cmd = new MySqlCommand("UPDATE " + table + " SET " + new_field + " =' " + new_value+ "' WHERE " + field+ "= " + value + "",this.con);
this.con is my connection to the MySQL database.
FYI: I use .NET 3.5CF with a mysql.data.cf DLL in Visual Studio 2008.
Could someone help me out with this problem? It's driving me nuts.
Well yes, you've got a leading space in the SQL:
"UPDATE " + table + " SET " + new_field + " =' " + new_value+ "'
Note the bit straight after "=" - you've got a quote, then a space, then new_value.
However, you shouldn't be putting the values in the SQL directly in the first place - you should be using parameterized SQL statements... currently you've got a SQL injection attack waiting to happen, as well as potential problems for honest values with quotes in.
You should use parameterized SQL for both new_value and value here... I'm assuming that field and table come from more "trusted" sources?
This appears to have a space where the * is
" ='*" + new_value