Hi there,

Im getting the error above, when i run my code.

string myCommand = "SELECT * FROM Manager WHERE UserName=" + ID;

        SqlDataAdapter da = new SqlDataAdapter(myCommand, con);

        DataSet ds = new DataSet();

        try
        {
            con.Open();
            da.Fill(ds); [B]// <- highlighting this part of the code..[/B]
        }
        finally
        {
            con.Close();
        }
        foreach (DataRow dr in ds.Tables[0].Rows)
        {
            txtUserName.Text = dr[1].ToString();

        }

    }
}

All i want to do is query the MS SQL database for data and extract row by row into an HTML table. This has proven to be a real pain in the neck. This simple function is sooo easy with PHP.

Please let me know if im on the right track, or if you can help with my error, i appreciate your help!

Thanks!

try to change your code to :

string myCommand = "SELECT * FROM Manager WHERE UserName= ID";

it should work if it doesn't try more alternatives.:icon_cool: [/I]

Try enclosing your ID value in single quotes.

string myCommand = "SELECT * FROM Manager WHERE UserName='" + ID + "'";

you need a space before and after the "=" sign. That may help.

Only enlcose your ID value in single quotes if is a text value.

I would highly recommend against building your queries dynamically like this. You should use parameterized SQL for security and performance reasons, please see:
http://www.daniweb.com/forums/thread176306.html

Here is sample code for your situation:

private void simpleButton1_Click(object sender, EventArgs e)
{
	const string connStr = @"Data Source=apex2006sql;Initial Catalog=Leather;Integrated Security=True;";
	const string query = "Select * From Invoice Where InvNumber = @InvNumber";
	const int invNumber = 1100;

	DataSet ds = new DataSet();

	using (SqlConnection conn = new SqlConnection(connStr))
	{
		conn.Open();
		using (SqlCommand cmd = new SqlCommand(query, conn))
		{
			cmd.Parameters.Add("@InvNumber", SqlDbType.Int).Value = invNumber;
			using (SqlDataAdapter da = new SqlDataAdapter(cmd))
			{
				da.Fill(ds);
			}
		}
		conn.Close();
	}
}

CHECK THAT YOUR ID CONTAINS A VALUE OR NOT. I THINK YOUR ID DOES NOT CONTAIN VALUE... So THAT YOUR QUERY WILL BE LIKE WHERE ...= SO WHEN YOU EXECUTE THE QUERY GETS THIS ERROR.

Comments
fixed the issue I was having and spent a couple of hours looking at.

CHECK THAT YOUR ID CONTAINS A VALUE OR NOT. I THINK YOUR ID DOES NOT CONTAIN VALUE... So THAT YOUR QUERY WILL BE LIKE WHERE ...= SO WHEN YOU EXECUTE THE QUERY GETS THIS ERROR.

This also gives another reason why parameterized queries should be used, because in the case of a blank ID it would run the query looking for null.

Totally agree with SKnake on this, any kind of attempt to use dynamic sql should include thorough checking for SQL injection attempts.

The solution is as stated that the parameter is text and should be enclosed in single quotes spaces around the equals will make no difference at all, if the parameter potentially could contain Unicode text like Japanese or Chinese characters it should also be prefixed with an N to let SQL server know that the contents could be of the NVARCHAR type.

you need a space before and after the "=" sign. That may help.

Only enlcose your ID value in single quotes if is a text value.

THANKYOU very much for this, it fixed my issue!!!

This article has been dead for over six months. Start a new discussion instead.