locked
hello everyone i have problem in my code please resole this as soon as possible RRS feed

  • Question

  • User22552789 posted

    Incorrect syntax near '='.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

    Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near '='.

    Source Error: 

    Line 39:                 string checkcolorQuery = "select Color1,Color2,Color3,Color4 from Username='" + TextBoxUserName.Text + "'";
    Line 40:                 SqlCommand colorCom = new SqlCommand(checkcolorQuery, conn);
    Line 41:                 string color = colorCom.ExecuteScalar().ToString();
    Line 42:                 if (color == TextBoxColor1.Text && color == TextBoxColor2.Text && color == TextBoxColor3.Text && color == TextBoxColor4.Text)
    Line 43:                 {

    My code:-

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using System.Data.SqlClient;
    using System.Configuration;

    public partial class Login : System.Web.UI.Page
    {
    protected void Page_Load(object sender, EventArgs e)
    {


    }
    protected void Button_Login_Click(object sender, EventArgs e)
    {

    SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationConnectionString"].ConnectionString);
    conn.Open();
    string checkuser = "select count(*) from UserData where Username ='" + TextBoxUserName.Text + "'";
    SqlCommand com = new SqlCommand(checkuser, conn);
    int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
    conn.Close();
    if (temp == 1)
    {
    conn.Open();
    string checkPasswordQuery = "select Password from UserData where Username ='" + TextBoxUserName.Text + "'";
    SqlCommand passComm = new SqlCommand(checkPasswordQuery, conn);
    string password = passComm.ExecuteScalar().ToString().Replace(" ","");

    if (password == TextBoxPassword.Text)
    {

    Response.Write("Password is correct");


    string checkcolorQuery = "select Color1,Color2,Color3,Color4 from Username='" + TextBoxUserName.Text + "'";
    SqlCommand colorCom = new SqlCommand(checkcolorQuery, conn);
    string color = colorCom.ExecuteScalar().ToString();
    if (color == TextBoxColor1.Text && color == TextBoxColor2.Text && color == TextBoxColor3.Text && color == TextBoxColor4.Text)
    {
    Session["New"] = TextBoxUserName.Text;
    Response.Write("Color Priority is correct");
    Response.Redirect("User.aspx");
    }

    else
    {
    Response.Write("Color Priority is not correct");
    }

    }
    else
    {
    Response.Write("Password is not correct");
    }


    }
    else
    {
    Response.Write("Username is not correct");
    }

    }
    }

    Wednesday, April 9, 2014 8:59 AM

Answers

  • User-760709272 posted

    This isn't valid t-sql

    select Color1,Color2,Color3,Color4 from Username='" + TextBoxUserName.Text + "'";

    It is

    SELECT field FROM table WHERE field = 'value'

    Did you mean something like

    select Color1,Color2,Color3,Color4 from [Users] where Username='" + TextBoxUserName.Text + "'";
    

    You should also google how to use parameterised queries as your code is open to sql injection attacks.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 9, 2014 9:06 AM

All replies

  • User-760709272 posted

    This isn't valid t-sql

    select Color1,Color2,Color3,Color4 from Username='" + TextBoxUserName.Text + "'";

    It is

    SELECT field FROM table WHERE field = 'value'

    Did you mean something like

    select Color1,Color2,Color3,Color4 from [Users] where Username='" + TextBoxUserName.Text + "'";
    

    You should also google how to use parameterised queries as your code is open to sql injection attacks.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 9, 2014 9:06 AM
  • User724169276 posted

    you cant use execute scalar when the query is returning you more than one value.

    string checkcolorQuery = "select Color1 from Username='" + TextBoxUserName.Text + "'";
    SqlCommand colorCom = new SqlCommand(checkcolorQuery, conn);
    string color = Convert.ToString(colorCom.ExecuteScalar());

    morover as aidyf suggested use parameterized query or stored procedure to avoid sql injections.

    Wednesday, April 9, 2014 9:11 AM