Click here to Skip to main content
16,012,508 members
Search within:


What is the error in my code?
Please Sign up or sign in to vote.
0.00/5 (No votes)
Dear Friends,

Please tell me the error in bellow query,

C#
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName=" + Request.QueryString["CategoryName"], con);


Note: I want to bind the values based on string in Repeater control.

Thanks in advance.
Posted
Updated 22-Jul-15 21:11pm
v2
Add a Solution
Comments
Praveen Kumar Upadhyay 23-Jul-15 3:11am    
There is nothing wrong in the query. Can you please brief a little more.
Member 10021658 23-Jul-15 3:19am    
I want to bind the value to repeater control based on string values.
Please follow bellow example based on above query .

I have two tables like tblCategories(CategoryId, CategoryName) & tblSubCategories (CateoryName, Id, SubCategoryName). Now I would like to bind the subcategories based on categoryName. I hope you understand my issue.

2 solutions

The only visible error is you have missed to wrap your value for CategoryName within a pair of single quotes.
Try this-
C#
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName='" + Request.QueryString["CategoryName"]+"'", con);


Note: It is always recomended to use parameterized query or stored procedure to prevent SQL Injection.
Reference:
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]
http://www.dotnetperls.com/sqlparameter[^]
SQL Injection Attacks and Some Tips on How to Prevent Them[^]

Hope, it helps :)
 
Share this answer
 
Posted
Comments
CPallini 23-Jul-15 3:17am    
5.
Suvendu Shekhar Giri 23-Jul-15 3:21am    
Thnaks :)
Member 10021658 23-Jul-15 3:23am    
Thanks Suvendu Sekhar.
It's working fine. Thanks once again
Suvendu Shekhar Giri 23-Jul-15 3:27am    
Glad to know that it helped :)
Also consider prevention measures for SQL Injection.
use parameter
C#
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName=@CategoryName", con);
cmd.Parameters.AddWithValue("@CategoryName", Request.QueryString["CategoryName"]);


Or in your inline parameter specify it as string, by using ''
C#
SqlCommand cmd = new SqlCommand("select * from tblCategories where CategoryName='" + Request.QueryString["CategoryName"]+"'", con);

but Parameterized sql query is more safe and it will protect your application from sql injection attacks.
 
Share this answer
 
Posted
Updated 22-Jul-15 21:18pm
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
error solving in my c# code
Error in my code: crtlsvalidheappointer(block)
Clear the error in this code?
I am getting a on error my code
Why I am getting an error in my code?
Compacttoken parsing failed with error code: 80049217
my code is showing error in da.fill(dt);
Why is my source code always repeating an error?
How is my code causing uncaught errors? (Ignore syntax like == vs === plz)
error with my code

Advertise
Privacy
Cookies
Terms of Use
Last Updated 23 Jul 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-07-22:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900