Unable to execute cmd.ExecuteReader()

Question

Here is the code where i'm trying to retrieve user name using emailid.

string query="select name from userdetails where emailid=" + email + ";" ;
connection.Open();
MySqlCommand cmd = new MySqlCommand(query,connection);
MySqlDataReader rd = cmd.ExecuteReader();
while(rd.Read())
{ 
    uname = (string)rd["emailid"];  
    return uname;
}

What is a typical value of `email`, and where does it come from? What does "unable to execute" mean? It doesn't compile? It compiles but throws an exception? What is the exception? — Dour High Arch, May 21 '13 at 18:30

John Woo · Answer 1 · 2013-05-21T15:30:12.923

parameterized the value to avoid from SQL Injection

string query="select name from userdetails where emailid=@email" ;
MySqlCommand cmd = new MySqlCommand(query,connection);
cmd.Parameters.AddWithValue("@email", email);

Try this code snippet:

string connStr = "connection string here";
string sqlStatement = "select name from userdetails where emailid=@email";
using (MySqlConnection conn = new MySqlConnection(connStr))
{
    using(MySqlCommand comm = new MySqlCommand())
    {
        comm.Connection = conn;
        comm.CommandText = sqlStatement;
        comm.CommandType = CommandType.Text;

        comm.Parameters.AddWithValue("@email", email);

        try
        {
            conn.Open();
            MySqlDataReader rd = cmd.ExecuteReader();
            // other codes
        }
        catch(SqlException e)
        {
            // do something with the exception
            // do not hide it
            // e.Message.ToString()
        }
    }
}

For proper coding

use using statement for proper object disposal
use try-catch block to properly handle exception

For Strings, use Add() instead of AddWithValue! http://stackoverflow.com/questions/9155004/difference-with-parameters-add-and-parameters-addwithvalue — Fabian Bigler, May 21 '13 at 15:31
@FabianBigler thanks for reminding my question back then. I used `AddWithValue()` for normal cases `:)` — John Woo, May 21 '13 at 15:33

score 2 · Answer 2 · answered May 21 '13 at 15:23

Put you emailin sigle qoute because it is varchar like this..

string query="select name from userdetails where emailid='" + email + "';" ;

But this may cause SQL Injection...so use this...

 string query="select name from userdetails where emailid=@email;" ;
MySqlCommand cmd = new MySqlCommand(query,connection);
cmd.Parameters.AddWithValue("@email",email);

score 1 · Answer 3 · answered May 21 '13 at 15:24

Update your select query like this with adding email in single quote:

   string query = "select name from userdetails where emailid='" + email +"';";

or you can use parametrized query like this :

string query="select name from userdetails where emailid=@email" ;
MySqlCommand cmd = new MySqlCommand(query,connection);
cmd.Parameters.AddWithValue("@email", email);

Unable to execute cmd.ExecuteReader()

3 Answers3