1

I am trying to join two tables here but end up getting error "incorrect syntax near toolid",below is the code I am using. Value of toolsoutageid and toolid is been sending from other page link.NavigateUrl = "~/OutageInfo.aspx?outageID=" + outageid + "toolid="+toolid;

string x = this.Request.QueryString["outageID"];
string y = this.Request.QueryString["toolid"];
SqlConnection con = new SqlConnection(@"xyz");//connection name
con.Open();
SqlCommand cmd = new SqlCommand("select toolname,ErrorDescription,StartTime,EndTime  from TransactionDetails,tools where ToolsOutageID=" + x +"and toolid="+y, con);
cmd.CommandType = CommandType.Text;
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);//Here I get the error
GridView1.DataSource = ds.Tables;            
GridView1.DataBind();
user635545
  • 111
  • 1
  • 4
  • 12

2 Answers2

0

Give a space next to the "and" on query string 

select toolname,ErrorDescription,StartTime,EndTime  from TransactionDetails,tools where ToolsOutageID=" + x +" and toolid="+y
PEO
  • 185
  • 2
  • 13
  • Ok let me ask something is your parameters are nullable? are the accepting null values if not add '' for the paramters – PEO May 05 '14 at 05:21
  • Ok then assigned null value if x length is 0. hope you got me. – PEO May 05 '14 at 05:37
  • Forget about your parameters. just hard code two parameters on SQL string and let me know the result. again if you can start the SQL profile and run it before you execute the query and see the last record of profile record, lets try to get at least to get a clue.. – PEO May 05 '14 at 07:36
  • Have you got the result – PEO May 05 '14 at 20:25
0

Assuming that your parameters are string you should use ' for your string compression.

Assuming that your parameters are string you should use `'` for your string compression.

select 
     toolname,
     ErrorDescription,
     StartTime,
     EndTime  
from 
     TransactionDetails
where 
     ToolsOutageID='" + x +"' 
     and toolid='"+y+"'"

But you should use parameterised Query instead of query like above
How do parameterized queries help against SQL injection?

Edit 1

int x = Convert.ToInt32(this.Request.QueryString["outageID"]);
int y = Convert.ToInt32(this.Request.QueryString["toolid"]);

 select 
     toolname,
     ErrorDescription,
     StartTime,
     EndTime  
from 
     TransactionDetails
where 
     ToolsOutageID=" + x +"
     and toolid="+y
Community
  • 1
  • 1
शेखर
  • 17,412
  • 13
  • 61
  • 117
  • 1
    Error- Conversion failed when converting the varchar value '10toolid=1' to data type int. – user635545 May 05 '14 at 05:06
  • your parameters are `int` or `string` if they are `int` then remove the single quotes. It not necessary but I will strongly recommend you to use parameterised query – शेखर May 05 '14 at 05:09