0
protected void DropDownServerName_SelectedIndexChanged(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["Database_Shared_NotebookConnectionString"].ConnectionString);

        conn.Open();

        string serverName = DropDownServerName.SelectedValue;

        string sqlquery = ("SELECT Architecture FROM tblServer WHERE (ServerName = " + serverName + ")");

        SqlCommand command = new SqlCommand(sqlquery, conn);

        txtUpdateArchitecture.Text = command.ExecuteScalar().ToString();

        conn.Close();
    }

The DropDownServerName aready connected to SQL Server using SqlDataSource to show list of values on ServerName column.

After I get select value called "Brad" and I want value from Architecture column from Brad to show up on textbox. However I got error say, Invalid column name "Brad". The column is suppose to be ServerName and Brad is just a value in ServerName column.

cspolton
  • 4,495
  • 4
  • 26
  • 34
StudentIT
  • 481
  • 2
  • 19
  • 45

4 Answers4

3

You need quote around your servername

string sqlquery = ("SELECT Architecture FROM tblServer WHERE (ServerName = '" + serverName + "')");

Or better still, use Parameterized query [it is safer, against SQL Injection and funny characters in string that can pollute your query]

string sqlquery = "SELECT Architecture FROM tblServer WHERE ServerName = @ServerName";

SqlCommand command = new SqlCommand(sqlquery, conn);
command.Parameters.AddWithValue("@ServerName", serverName);
codingbiz
  • 26,179
  • 8
  • 59
  • 96
  • 4
    Better yet, use parameters to avoid SQL injection. – Patko Oct 11 '12 at 19:00
  • nice , other are telling this guy to concatenate rather then telling him to use parameters – Scott Selby Oct 11 '12 at 19:02
  • Maybe SO should have some algorithm to detect this and would redirect to http://stackoverflow.com/questions/601300/what-is-sql-injection or something similar :) – Patko Oct 11 '12 at 19:07
0

add ' ' around servername in the WHERE clause:

... WHERE ServerName = '" + serverName + "' ...
Z .
  • 12,657
  • 1
  • 31
  • 56
0

Try this instead. It should work with the single quotes.

string sqlquery = ("SELECT Architecture FROM tblServer WHERE ServerName = '" + serverName + "'");
Andrew
  • 815
  • 8
  • 17
0

You probably are missing single quotes around the variable. Try this

    protected void DropDownServerName_SelectedIndexChanged(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["Database_Shared_NotebookConnectionString"].ConnectionString);

        conn.Open();

        string serverName = DropDownServerName.SelectedValue;

        string sqlquery = ("SELECT Architecture FROM tblServer WHERE (ServerName = '" + serverName + "')");

        SqlCommand command = new SqlCommand(sqlquery, conn);

        txtUpdateArchitecture.Text = command.ExecuteScalar().ToString();

        conn.Close();
    }
jags
  • 2,022
  • 26
  • 34
  • You have introduced more syntax error into that query with the **wrong placement** of the quotes. But I didn't downvote – codingbiz Oct 11 '12 at 19:05
  • @codingbiz thanks I have corrected it though my answer is not correct. Others have posted correct answer about using parameterized query instead of using single quotes in the same query. – jags Oct 11 '12 at 19:15
  • Your answer is correct but is discouraged for security reason. – codingbiz Oct 11 '12 at 19:20