This Oracle SQL query written in c# is giving me the following error : invalid character
qur = " select * from emp where name LIKE '%" + TextBox1.Text + "%'";
How can I solve this?
Asked
Active
Viewed 717 times
0
Hugo Dozois
- 8,147
- 12
- 54
- 58
Shanna
- 753
- 4
- 14
- 34
-
3please do parameterized the query. what if i set the value of my textbox with `'; DROP emp; --` – John Woo Mar 27 '13 at 13:05
-
4The problem doesn't seem to be on `%` character. What does `TextBox1.Text` contain? – Claudio Redi Mar 27 '13 at 13:07
-
I enter a name, with some characters – Shanna Mar 27 '13 at 13:12
2 Answers
4
The problem is your query is very open to Sql Injection attacks. Since you are not using parametrized queries anything entered in TextBox1 can crush your query.
for example if I enter : ' char in Textbox your query will be select * from emp where name LIKE '%'%' and it will throw error. And apart from that it is vulnerability and you should not use such queries.
You can change query to :
SqlCommand cmd= new SqlCommand( " select * from emp where name LIKE @myParam");
cmd.Parameters.AddWithValue("@myParam", "%" + TextBox1.Text + "%");
you missed @
-
1@SandraDsouza you are welcome. Just be careful about Sql Injection attacks. It is a very serious problem. – adt Mar 27 '13 at 13:27
-2
you should use it as below:
qur = " select * from emp where name LIKE '%'" + TextBox1.Text + "'%'";
Code Rider
- 2,003
- 5
- 32
- 50