I am having a form through which user will enter empcode(checking whether it is present in the table)
When i click On Login i am getting the following error
Invalid column name
cmd.CommandText = "select employee_code from MST_Employee where employee_code = " + emp_code;

In the above select i m writing the where condition in which empcode is getting from textbox

Form1 frm = new Form1();
            emp_code = First_NametextBox.Text;
            SqlConnection connection_string = new SqlConnection(System.Configuration.ConfigurationManager.AppSettings["database1"]);
            connection_string.Open();
            SqlCommand cmd = connection_string.CreateCommand();
            cmd.CommandText = "select employee_code from MST_Employee where employee_code = " + emp_code;
            SqlDataReader row = cmd.ExecuteReader();

            while (row.Read())
            {
                temp_emp_code = (string)row[0];
            }
            row.Close();
            connection_string.Close();
            MessageBox.Show("Temp-emp-value : " + temp_emp_code);
            if (emp_code == temp_emp_code)
            {

                frm.Show();
            }
            else 
            {
                MessageBox.Show("Invalid Employee Code Type Again");
                return;
            }
            //MessageBox.Show("First :" + emp_code);

I am not getting what is wrong in my code

Recommended Answers

All 4 Replies

It has to written like this:

cmd.CommandText = "select employee_code from MST_Employee where employee_code = '" + emp_code + "';

Mitja

And if you are only expecting one value you should use ExecuteScaler() not ExecuteReader().

yes, Reader is used to get more values (specific ones).

Thanks for giving your valuable time
I am using execute scalar but problem can be of sql injection(in textbox user can type delete)

SqlCommand cmd = connection_string.CreateCommand();
            cmd.CommandText = "select employee_code from MST_Employee where [employee_code] = '" + Emp_codetextBox.Text + "'";
            
            temp_emp_code = (string)cmd.ExecuteScalar();

How can i correct the above code to avoid sql injection
And user give correct id it showing the next form according to code but it is not closing the login form

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.