none
Run time Error..

    Question

  •         protected void btnload_Click(object sender, EventArgs e)
            {
                string cs = "select * from Student where StuID like'"+txt1.Text+"'%";
                SqlDataAdapter da = new SqlDataAdapter(cs, con);
                DataSet ds = new DataSet();
                da.Fill(ds, cs);

                ViewState["SQL_QUERY"] = da;
                ViewState["DATA_SET"] = ds;

                if (ds.Tables["Student"].Rows.Count > 0)
                {
                    DataRow dr = ds.Tables["Student"].Rows[0];
                    txtname.Text = dr["Stuname"].ToString();
                    txtmarks.Text = dr["Total_marks"].ToString();
                    ddl1.SelectedValue = dr["Gender"].ToString();
                }
                else
                {
                    lblresult.ForeColor = Color.Red;
                    lblresult.Text = "Record Not Found with This: " + txt1.Text;
                }

    This Error is Coming..

    Incorrect syntax near '%'.

    Line 24:             SqlDataAdapter da = new SqlDataAdapter(cs, con);
    Line 25:             DataSet ds = new DataSet();
    Line 26:             da.Fill(ds, cs);

    Help me..

    How to Come out This problem..

    Thursday, October 13, 2016 3:19 PM

Answers

  • Trivial error: the "'%" should be "%'".

    However, you should never concatenate user input in a SQL query. This opens your code to SQL injection attacks, apart from other drawbacks such as failing when the input has special characters such as a quote, or having bad performance due to not reusing the cached statements at the server side.

    Some other bad practices in your code involve storing the DataSet in the ViewState (which will cause a huge ViewState to be pumped twice on every postback between client and server, as well as attempting to store in the ViewState the DataAdapter, which is not serializable.

    Your Fill method is also using the SQLquery for the name for the table, so it will later crash when you attempt to access ds.Tables["Student"], since your DataTable is not named "Student" but "select * from Student where StuID like'"+txt1.Text+"'%" (which is a legal but weird name for a DataTable).

    Anyway, all of these things would be better explained in one of the programming forums in MSDN. This Training and Certification forum is not intended to actually train you, but rather to discuss the various training courses and other training options that you can use for your training.

    Thursday, October 13, 2016 8:28 PM

All replies

  • Your question should be posted to the appropriate MSDN forum
    Thursday, October 13, 2016 6:11 PM
    Answerer
  • Trivial error: the "'%" should be "%'".

    However, you should never concatenate user input in a SQL query. This opens your code to SQL injection attacks, apart from other drawbacks such as failing when the input has special characters such as a quote, or having bad performance due to not reusing the cached statements at the server side.

    Some other bad practices in your code involve storing the DataSet in the ViewState (which will cause a huge ViewState to be pumped twice on every postback between client and server, as well as attempting to store in the ViewState the DataAdapter, which is not serializable.

    Your Fill method is also using the SQLquery for the name for the table, so it will later crash when you attempt to access ds.Tables["Student"], since your DataTable is not named "Student" but "select * from Student where StuID like'"+txt1.Text+"'%" (which is a legal but weird name for a DataTable).

    Anyway, all of these things would be better explained in one of the programming forums in MSDN. This Training and Certification forum is not intended to actually train you, but rather to discuss the various training courses and other training options that you can use for your training.

    Thursday, October 13, 2016 8:28 PM