This is the demo code to a project I can't really get to send the "hisname" and "hisage" declared variables as a query. I actually need to send a query for each time the user enters the name and age those names and age must be sent as a query to the database.
static void Main()
{
string hisname;
int hisage;
Console.WriteLine("Hello! Have you met a new friend?");
string ans = Console.ReadLine();
Console.ReadLine();
if (ans == "y")
{
Console.WriteLine("Amazing! Whats his Name?");
hisname = Console.ReadLine();
Console.ReadLine();
Console.WriteLine("Whats his age?");
hisage = Convert.ToInt16(Console.ReadLine());
Console.ReadLine();
Console.WriteLine("Do you want me to store it?");
Console.ReadLine();
string ans2 = Console.ReadLine();
if (ans2 == "y")
{
string SQLConnectionString = "Server=tcp:MYSERVER.database.windows.net,1433;Database=friendsadded;User ID=MYID;Password=MYPASS;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;";
// Create a SqlConnection from the provided connection string.
using (SqlConnection connection = new SqlConnection(SQLConnectionString))
{
SqlCommand command = new SqlCommand();
command.Connection = connection;
command.CommandType = System.Data.CommandType.Text;
command.CommandText = #"INSERT INTO [myfriends] ([Friend], [Age]) VALUES ( N'hisname', 'hisage')";
// command.CommandText = #"SELECT TOP 10 UID, FRIEND, AGE FROM dbo.myfriends";
connection.Open();
}
}
}
}
}
}
Here the friendsadded is the database and myfriends is the table under it. I want it to add the names and age of the new entries to the database.
Here is an example of using parameters for this instead of passing through user entered data which is vulnerable to sql injection.
using (SqlConnection connection = new SqlConnection(SQLConnectionString))
{
SqlCommand command = new SqlCommand();
command.Connection = connection;
command.CommandType = System.Data.CommandType.Text;
command.CommandText = #"INSERT INTO [myfriends] ([Friend], [Age]) VALUES ( #hisname, #hisage)";
command.Parameters.Add("#hisname", SqlDbType.VarChar, 10).Value = hisname;
command.Parameters.Add("#hisage", SqlDbType.Int).Value = hisage;
connection.Open();
command.ExecuteNonQuery();
}
Related
Trying to create a asp.net c# form for learning purposes at home and i'm absolutely struggling to connect to my storedprocedure.
I'm definitely in the right database as when I start the database by cmdprompt and connect to it via datasource in visual design it connects and finds the stored procedure. So there must be something I am doing wrong? I've been searching Google for about 30-40 minutes now and everything I've tried hasn't resolved my issue. Any suggestions please?
const string constring = #"Data Source=(localdb)\ProjectsV12;Integrated Security=True;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False";
public static int InsertEnquiry(string Name, string Subject, string Email, string Message, string Phone) {
//default ticketid of 0 which will be changed to -1 if an error or greater than 0 if successful
int TicketID = 0;
if (String.IsNullOrEmpty(Phone)) Phone = "0";
using (var conn = new SqlConnection(constring)) {
//create command
SqlCommand command = new SqlCommand();
//tell the command which connection its using
command.Connection = conn;
//inform command that it is a stored procedure and the name of stored procedure
command.CommandText = "InsertEnquiry";
command.CommandType = CommandType.StoredProcedure;
//add the parameters to the sqlcommand
command.Parameters.Add(new SqlParameter("#Name", SqlDbType.NVarChar)).Value = Name;
command.Parameters.Add(new SqlParameter("#Subject", SqlDbType.NVarChar)).Value = Subject;
command.Parameters.Add(new SqlParameter("#Phone", SqlDbType.NVarChar)).Value = Phone;
command.Parameters.Add(new SqlParameter("#Email", SqlDbType.NVarChar)).Value = Email;
command.Parameters.Add(new SqlParameter("#Message", SqlDbType.NVarChar)).Value = Message;
// try run command and set TicketID to the row inserted into the table.
try {
conn.Open();
//run command
command.ExecuteNonQuery();
//return scope identity of row.
TicketID = (int)command.Parameters["#TicketID"].Value;
}
catch (Exception e) {
//show -1 to state there is an error
TicketID = -1;
}
}
return TicketID;
}
}
1st
I think you are connected to the wrong db, probably you are in master.
Run this piece of code and check the name of the database and see if it's the one that you want.
public static string checkDB()
{
string dbName = "";
using (var conn = new SqlConnection(constring))
{
//create command
SqlCommand command = new SqlCommand();
//tell the command which connection its using
command.Connection = conn;
//inform command that it is a stored procedure and the name of stored procedure
command.CommandText = "select DB_NAME()";
command.CommandType = CommandType.Text;
// try run command and set TicketID to the row inserted into the table.
try
{
conn.Open();
//run command
SqlDataReader reader = command.ExecuteReader();
reader.Read();
dbName = reader[0].ToString();
}
catch (Exception e)
{
}
}
return dbName;
}
2nd
You are trying to get the value from the parameter #TicketID but you didn't specify this parameter as an output parameter.
command.Parameters.Add("#TicketID", SqlDbType.Int).Direction = ParameterDirection.Output;
EDIT1:
This is how do you put the db name in the connection string:
const string constring = #"Data Source=(localdb)\ProjectsV12;Integrated Security=True;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;Initial Catalog=MY_DB_NAME";
I am creating a login system but I dont know how to handle the login information (username and password)
Here is my code:
MySqlConnection connection = new MySqlConnection(MySQLConnection);
connection.Open();
string result = string.Empty;
MySqlCommand cmd = connection.CreateCommand();
cmd.CommandText = "SELECT * FROM users WHERE nick="+nick.Text+" AND password="+pass.Text+" LIMIT 1;";
MySqlDataReader dataReader = cmd.ExecuteReader();
result = (string)cmd.ExecuteScalar();
connection.Close();
if (result.Length!=0)
{
int id;
label3.Text = "Loged.";
dataReader.Read();
id = Convert.ToInt32(dataReader[0]);
game g = new game();
g.label1.Text = Convert.ToString(dataReader[1]);
g.label84.Text = Convert.ToString(id);
this.Hide();
g.Show();
}
else
{
label3.Text = "Bad information.";
}
This doesnt work: how do I check if the user exists with this information(username and password) and that the details are valid?
Following should be done:
Use Parameterized Query and using statement
Use only MySqlDataReader no need of ExecuteScalar
Check if dataReader.HasRows
Read values from reader and perform required action.
Code:
using (MySqlConnection connection = new MySqlConnection(MySQLConnection))
{
connection.Open();
MySqlCommand cmd = connection.CreateCommand();
cmd.CommandText = "SELECT * FROM users WHERE nick=#nick AND password=#pass LIMIT 1;";
cmd.Parameters.AddWithValue("#nick", nick.Text);
cmd.Parameters.AddWithValue("#pass", pass.Text);
using (MySqlDataReader dataReader = cmd.ExecuteReader())
{
if (dataReader.HasRows)
{
label3.Text = "Loged.";
dataReader.Read();
int id = Convert.ToInt32(dataReader[0]);
game g = new game();
g.label1.Text = Convert.ToString(dataReader[1]);
g.label84.Text = id.ToString();
this.Hide();
g.Show();
}
else
{
label3.Text = "Bad information.";
}
}
}
I think the problem is your select statement. You have to use single quote in where condition for the string data types
Try the following query
cmd.CommandText = "SELECT * FROM users WHERE nick='"+nick.Text+"' AND password='"+pass.Text+"' LIMIT 1;";
Also you can make the query parameterized, which is more efficient.
Here is the code that i used and It will popup an Exception at the 3rd command.CommandText assignment but it is the same way that i used in 2nd command.CommandText assignment,
SqlCommand command = conn.CreateCommand();
conn.Open();
//1st
command.CommandText = query;
SqlDataReader reader = command.ExecuteReader();
ArrayList alMainGrid = new ArrayList();
while (reader.Read())
{
SupportTable table = new SupportTable();
table.LaySheetNo = reader.GetValue(0).ToString();
table.PlnLayStartTime = reader.GetDateTime(1).ToString();
table.PlnLayEndTime = reader.GetValue(2).ToString();
table.LayTableId = reader.GetValue(3).ToString();// reader.GetValue(3).ToString();
table.LayTeamId = reader.GetValue(4).ToString();
alMainGrid.Add(table);
}
reader.Close();
foreach (SupportTable table in alMainGrid)
{
//2nd
command.CommandText = String.Format("SELECT CTDesc FROM CutTable WHERE CTId ={0}", int.Parse(table.LayTableId));
string tableDesc = (string)command.ExecuteScalar();
table.LayTeamId = tableDesc;
//3rd-In this command.CommandText
command.CommandText = String.Format("SELECT TeamDesc FROM Team WHERE TeamId ={0}", int.Parse(table.LayTeamId));
string teamDesc = (string)command.ExecuteScalar();
table.LayTeamId = teamDesc;
}
dgvMain.DataSource = alMainGrid;
When you assign table.LayTeamId in the line a couple of lines above where you are seeing the exception:
table.LayTeamId = tableDesc;
I expect that tableDesc is assigning a value to table.LayTeamId that cannot be parsed to an Int and then blows up when you try to parse it here:
command.CommandText = String.Format("SELECT TeamDesc FROM Team WHERE TeamId ={0}", int.Parse(table.LayTeamId));
NOTE:
This is a bad way to form queries by concatenating strings. This will leave you vulnerable to SQL Injection attacks if you aren't careful. Use parameterized queries to sanitize your queries before you execute them on your database.
Try this
command.CommandText = String.Format("SELECT CTDesc FROM CutTable WHERE CTId ={0}", (table.LayTableId == "") ? -1 : Convert.ToInt32(table.LayTableId);
command.CommandText = String.Format("SELECT TeamDesc FROM Team WHERE TeamId ={0}", (table.LayTeamId == "") ? -1 : Convert.ToInt32(table.LayTeamId);
I am trying to apply N before variable name for Unicode as mentioned in How to use 'LIKE' statement with unicode strings?
With the following code I am getting following error. What need to be corrected here?
Exception: Invalid column name 'N#input'.
string commandText = #"SELECT AccountType,*
FROM Account
WHERE AccountType LIKE N#input ";
CODE
static void Main(string[] args)
{
string result = DisplayTest("Daily Tax Updates: ----------------- Transactions");
}
private static string DisplayTest(string searchValue)
{
string test = String.Empty;
string connectionString = "Data Source=.;Initial Catalog=LibraryReservationSystem;Integrated Security=True;Connect Timeout=30";
using (SqlConnection connection = new SqlConnection(connectionString))
{
connection.Open();
string commandText = #"SELECT AccountType,*
FROM Account
WHERE AccountType LIKE N#input ";
using (SqlCommand command = new SqlCommand(commandText, connection))
{
command.CommandType = System.Data.CommandType.Text;
command.Parameters.AddWithValue("#input", "%" + searchValue + "%");
using (SqlDataReader reader = command.ExecuteReader())
{
if (reader.HasRows)
{
while (reader.Read())
{
test = reader.GetString(0);
}
}
}
}
}
return test;
}
I see a few issues.
string commandText = #"SELECT AccountType,*
FROM Account
WHERE AccountType LIKE N#input";
should be
string commandText = #"SELECT AccountType,*
FROM Account
WHERE AccountType LIKE #input";
...
command.Parameters.Add("#input",System.Data.SqlDbType.NVarChar,<<size>>);
command.Parameters[0].Value = "%" + searchValue + "%";
I see you're trying to use a nvarchar parameter. I think .net does that by default with .AddWithValue
I'm not sure why do you need the typecast to nvarchar, you should be fine without the 'N' part.
That part you need when you want to specify that a string literal should be treated as nvarchar not as varchar, as in SELECT * from Table where field like N'%VALUE%'
Otherwise, you just declare your variable/parameter as nvarchar
Taken from this stack Stack overflow
SqlParameter parameter = new SqlParameter();
parameter.ParameterName = "#CategoryName";
parameter.SqlDbType = SqlDbType.NVarChar;
parameter.Direction = ParameterDirection.Input;
parameter.Value = categoryName;
Try this one -
private static string DisplayTest(string searchValue)
{
string connectionString = "Data Source=.;Initial Catalog=LibraryReservationSystem;Integrated Security=True;Connect Timeout=30";
using (SqlConnection connection = new SqlConnection(connectionString))
{
connection.Open();
string commandText = #"SELECT AccountType,* FROM Account WHERE AccountType LIKE #input";
using (SqlCommand command = new SqlCommand(commandText, connection))
{
command.CommandType = System.Data.CommandType.Text;
command.Parameters.Add("#input", SqlDbType.NVarChar);
command.Parameters["#input"].Value = string.Format("%{0}%", searchValue);
using (SqlDataReader reader = command.ExecuteReader())
{
if (reader.HasRows)
{
while (reader.Read())
{
return reader.GetString(0);
}
}
}
}
}
return String.Empty;
}
I need to retrieve Ticket_Id from tbl_Ticket to pass into body section of sending email function..
Is the below code correct?
every times i get Ticket_Id 1..
public int select_TicketId(){
string strConn = System.Configuration.ConfigurationManager.ConnectionStrings["conString"].ConnectionString.ToString();
SqlConnection sqlCon = new SqlConnection(strConn);
string getId = ("select Ticket_Id from tbl_Ticket where Client_EmailAdd='" + objNewTic_BAL.email + "' ");
sqlCon.Open();
SqlCommand cmd1 = new SqlCommand(getId, sqlCon);
int i=cmd1.ExecuteNonQuery();
return i;
}
You are searching for ExecuteScalar which returns the first value.
using System.Configuration;
//
public int select_TicketId()
{
string strConn = ConfigurationManager.ConnectionStrings["conString"].ConnectionString.ToString();
SqlConnection sqlCon = new SqlConnection(strConn);
string getId = ("select TOP 1 Ticket_Id from tbl_Ticket where Client_EmailAdd='" + objNewTic_BAL.email + "' ");
sqlCon.Open();
SqlCommand cmd1 = new SqlCommand(getId, sqlCon);
return Convert.ToInt32(cmd1.ExecuteScalar());
}
Also use CommandProperties to set the where statement for better security, like below:
public int select_TicketId()
{
string connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["conString"].ConnectionString;
int result = -1;
using (SqlConnection connection = new SqlConnection(connectionString))
{
connection.Open();
SqlCommand command = new SqlCommand();
command.Connection = connection;
command.CommandType = CommandType.Text;
command.CommandText = "select TOP 1 Ticket_Id from tbl_Ticket where Client_EmailAdd=#email";
command.Parameters.Add("#email", SqlDbType.Text).Value = objNewTic_BAL.email;
result = Convert.ToInt32(command.ExecuteScalar());
}
return result;
}
You should call int i=(int)cmd1.ExecuteScalar(); method
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.executescalar.aspx
You're calling ExecuteNonQuery. But it's a query. This should have rung some warning bells :)
Try ExecuteScalar instead, and cast the result to int...
return (int) cmd1.ExecuteScalar();
Note that you should use using statements for the command and connection as well, so that both are closed appropriately.
And (I hadn't spotted this before) you should definitely use parameterized SQL instead of including a value directly into your SQL. Otherwise you're open to SQL Injection attacks...
So something like:
private const string FetchTicketIdSql =
"select Ticket_Id from tbl_Ticket where Client_EmailAdd = #Email";
public int FetchTicketId()
{
// No need for ToString call...
string connectionString =
ConfigurationManager.ConnectionStrings["conString"].ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
{
connection.Open();
using (SqlCommand command = new SqlCommand(connection, FetchTicketIdSql))
{
command.Parameters.Add("#Email", SqlDbType.NVarChar).Value =
bjNewTic_BAL.email;
return (int) command.ExecuteScalar();
}
}
}
You should consider what you want to happen if there isn't exactly one result though...
Hiral,
ExecuteNonQuery in
int i=cmd1.ExecuteNonQuery();
will return number of records that satisfy your query. In this case it is 1 (or 0 if there are no emails)
Try using ExecuteReader instead.