How to write a select statement with where clause.i need to compare with a string value.
I tried this:
string get_dropdown_value = dropdown_category.SelectedItem.Value;
...but it gives me this error:
Invalid column name 'get_dropdown_value'.
You will have to show the select statement you are using. I suspect you have done something like this:
string selectStatement = "SELECT * FROM SOME_TABLE WHERE SOME_COLUMN = get_dropdown_value";
While it should be like:
string selectStatement = "SELECT * FROM SOME_TABLE WHERE SOME_COLUMN = " + get_dropdown_value;
Edit: As others mentioned, this is prone to SQL Injection. So, you might want to use SqlParamter (assuming you are using SQL).
Try this code
insted of
string get_dropdown_value = dropdown_category.SelectedItem.Value;
Put
string get_dropdown_value = dropdown_category.SelectedItem.Text;
Related
I have a requirement where I have to replace the database names in the dynamic sql with the new database names .
something like following:
select * from DBName.TableName
should become
select * from newDBName.TableName
select * from [DbName].TableName
should become
select * from [NewDbName].TableName
I have tried string.Replace() method but that doesn't respect all combinations a programmer can write the database names in a dynamic sql
Please help.
Instead of trying to replace parts of a string, you should use a formatted string and pass in the parameter. For example:
var query = String.Format("select * from {0}.TableName", newDB)
used in a method where you can pass in the new db name and return the new query.
public static string GetNewQuery(string newDB) {
return String.Format("select * from [{0}].TableName", newDB);
}
would result in "select * from [newDB].TableName"
https://msdn.microsoft.com/en-us/library/system.string.format(v=vs.110).aspx
I'm running the following query
cmd = new SqlCommand("SELECT * FROM addresses WHERE identifier NOT IN(#notIn)", _connector.getMsConnection());
When I view the value notIn and copy this query I get an empty result on my database (which I'm expecting). However when I'm running this code I get 6 results. The content of string notIN is for example
string notIn = "'201619011124027899693E8M2S3WOCKT9G6KHE11' ,'201619011124027899693E8M2S3WOCKT9G6KHE12'"
which combined with
SELECT *
FROM addresses
WHERE identifier NOT IN(#notIn)
Should create
SELECT *
FROM addresses
WHERE identifier NOT IN ('201619011124027899693E8M2S3WOCKT9G6KHE11',
'201619011124027899693E8M2S3WOCKT9G6KHE12' )
which runs as expected.
it should be like this:
cmd = new SqlCommand(string.Format("SELECT * FROM addresses WHERE identifier NOT IN({0})", notIn), _connector.getMsConnection());
This way the value of notIn will be concat to your string query.
Contrary to what the other answers say, concatenating the string to build the SQL is a bad idea, especially since the input values are strings. You open yourself up to SQL injection attacks.
You should be generating multiple parameters for each item in your list.
For example, if you have the input input:
var notIn = new[] { "A1", "B2", "C3" }
You'd want something like
for(var i = 0; i < notIn.Length; i++)
command.AddParamWithValue("p"+i, notIn);
And then you can build the SQL with concatenation (note that we are not concatenating an input here)
var sql = "SELECT * FROM addresses WHERE identifier NOT IN(" + string.Join(",", notIn.Select(i,v) => { "#p" + i; }) + ")";
Which then would look like:
SELECT * FROM addresses WHERE identifier NOT IN (#p0,#p1,#p2)
Alternatively, you could dump the values into a temporary table and do a join.
Note that the above is pseudocode, and may not compile verbatim, but should give you the right idea about how to procede.
It's because, you passed the #notIn as a whole string, which means, the SQL server see it as:
SELECT * FROM addresses WHERE identifier NOT IN('''201619011124027899693E8M2S3WOCKT9G6KHE11'',''201619011124027899693E8M2S3WOCKT9G6KHE12''')
So you got empty result
Try changing the "not in" to where clause and generate the where with C#:
string selectStatement = "SELECT * FROM addresses WHERE";
selectStatement += " identifier != '201619011124027899693E8M2S3WOCKT9G6KHE11' and identifier != '201619011124027899693E8M2S3WOCKT9G6KHE12'";
Or if you really want to use parameterized SQL, try doing it in stored procedure instead.
So I've got this code:
query2 = "SELECT * from Clicking WHERE ID = '" + ID + "'";
And it seems to make problems with the script, probably I'm mistaken with something here.
For instance, when I write this:
query2 = "SELECT * from Clicking WHERE ID = 3";
..this works just fine, and the script continue with no problems. But with my original code it shows me this error:
OleDbException was unhandled by user code
An exception of type 'System.Data.OleDb.OleDbException' occurred in System.Data.dll but was not handled in user code
Any suggestions how to make this work?
When you use single quotes the 3 is treated as string, and probably your ID column is an int, that's why you are getting the exception .
Also do not use string concatenation, use parameterized queries to prevent SQL injection attacks
query2 = "SELECT * from Clicking WHERE ID = #id";
using(var cmd = new SqlCommand(query2, connection))
{
cmd.Parameters.AddWithValue("#id", ID);
...
}
The way you have the query written it will be like this:
SELECT * from Clicking WHERE ID = '3'
The '' around a number means it will look for an ID as a string that is equal to 3. So you want to remove the single quotes around the number, so it will search for a number that is equal to 3, or whatever number you use. This is what you want:
query2 = "SELECT * from Clicking WHERE ID = " + ID;
I like to know is it possible to add parameter in datatable.select(expression).For example
string query="Name=#Name";
//dt is comming from database.
dt.Select(query);
How to add this parameter #Name. I need to compare a value which contains single quote and it gets failed in the above case.
Thanks in advance
You can use String.Format, you need to escape single quotes with two:
string query = string.Format("Name='{0}'", name.Replace(#"'", "''"));
var rows = dt.Select(query);
or, if you want to use Like:
string query = string.Format("Name LIKE '%{0}%'", name.Replace(#"'", "''"));
(note that a DataTable is not vulnerable to sql-injection since it's an in-memory object)
You can pass only expression to Select method.
In case if you need to pass the parameter dynamically then you can try this.
string Exp = "Name ='" + variable + "'";
dt.select(Exp);
I am trying to do an SQL query such as
SELECT * FROM [TABLE] WHERE hostname LIKE '%myhostname%';
This works fine in plain SQL, but when I use System.Data.SQLite in C#, it only works with a literal, not a parameter, such as
string sel = "SELECT * FROM [TABLE] WHERE hostname LIKE '%#host%'";
...
command.Parameters.AddWithValue("#host", "myhostname");
This returns no results.
You can't do that. The parameters must be complete values - it's not just a string substitution into the SQL. You could do this instead:
string sel = "SELECT * FROM [TABLE] WHERE hostname LIKE #host";
...
command.Parameters.AddWithValue("#host", "%myhostname%");
Easiest way to do this is to use '||'
Use :
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE #wtName || '%' ";
Instead Of:
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE #wtName%";
I have already answered here