ansaurus

Question

Problem with WHERE columnName = Data in MySQL query in C#

Answer 1

+1 A:

Shouldn't the WHERE clause be WHERE name = '" + show + "'"; Strings should be enclosed in single quotes and not double quotes for SQL statements.

Also the System.Data.SqlClient namespace is for SQL Server and not MySQL. See MySQL official docs for connecting to MySQL via C#.

Mr Roys 2010-05-04 02:27:06

+1 - can't believe I didn't see the MySQL part of the question... he tricked me!

John Rasch 2010-05-04 02:47:44

Answer 2

+4 A:

Quick solution:

I believe you need single quotes in your selectStr:

string selectStr = 
"SELECT name, castNotes, triviaNotes FROM tableName WHERE name = '" + show + "'";

More information:

In .NET, you'll want to be sure you close out any connections explicitly when you no longer need them. The easiest way to do this is to wrap using statements around any types that implement IDisposable, such as SqlConnection in this case:

using(SqlConnection conn = new SqlConnection(connectionStr))
{
    SqlDataAdapter da = new SqlDataAdapter(selectStr, conn);
    DataSet ds = new DataSet();
    da.Fill(ds, "tableName");
    DataTable dt = ds.Tables["tableName"];

    DataRow theShow = dt.Rows[0];
    string response = "Name: " + theShow["name"].ToString() + "Cast: " + theShow["castNotes"].ToString() + " Trivia: " + theShow["triviaNotes"].ToString();

    return response;
}

Additionally, it looks like your code could be easily subject to SQL injection. What if someone submits a form with the value: fake name' OR 1=1;DROP DATABASE someDbName;--?

You'll want to take advantage of SQL parameters, something like:

SqlCommand cmd = new SqlCommand(
  "SELECT name, castNotes, triviaNotes FROM tableName WHERE name = @show", conn);

cmd.Parameters.AddWithValue("@show", show);

John Rasch 2010-05-04 02:35:16

Alrighty... replace all `SqlWhatever` with `MySqlWhatever` if you're using MySQL ;)

John Rasch 2010-05-04 02:50:45

Thank you, but now I am getting the error: System.Data.SqlClient.SqlException: The data types text and varchar are incompatible in the equal to operator. After I switched it to the single quotes. That makes me think its a data type conversion issue but that makes no sense to me.

Ryan Sullivan 2010-05-04 03:30:23

@Ryan - is your `name` column of type `text`? I suggest you change it to `varchar(max)` and it will work with the equals sign. Alternatively you can do `WHERE name LIKE @show` instead, but I don't recommend that approach.

John Rasch 2010-05-04 03:48:37

Actually I just got it to work, Had to use LIKE instead of = in the query because the data in the table is stored as TEXT not varchar.Thank you for all the help, including the SQL injection solution, that was next on my list to figure out.

Ryan Sullivan 2010-05-04 04:00:06

Why don't you recommend the approach? I am just learning about SQL, I do not know much.

Ryan Sullivan 2010-05-04 04:01:58

@Ryan - you should generally reserve `text` columns for when you have large amounts of text you are storing... even then `varchar(max)` is probably still the best option if you're not searching it. Based on your data, it looks like `show` isn't going to grow that large so you could change the column type to `varchar(255)` and be fine. You may want to create a primary key out of that column if you expect it to be unique since you don't appear to be using a surrogate key.

John Rasch 2010-05-04 13:39:23

I totally agree with you, but unfortunately I do not own the database, nor do I have permissions to edit it. I am strictly querying the database. Thank you for all your help!

Ryan Sullivan 2010-05-06 06:46:13

ansaurus

tags:

views:

answers:

Problem with WHERE columnName = Data in MySQL query in C#

Quick solution:

More information:

related questions