Incorrect syntax near ',' error in asp.net?

Question

This is my code in Asp.Net and C#. I am trying to figure out this error from 2 hours but unable to find.

Any kind of help is appreciated.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;

public partial class Result : System.Web.UI.Page
{
    SqlConnection con;
    SqlCommand cmd;
    SqlDataReader dr;

    string city1, area1, type1, min, max;
    int id;

    protected void Page_Load(object sender, EventArgs e)
    {
       city1 = Request.QueryString["city"];
       area1 = Request.QueryString["area"];
       // type1 = Request.QueryString["propertytype"];
       type1= "1bhk";
       min = Request.QueryString["minprice"];
       max = Request.QueryString["maxprice"];
       //  id = Convert.ToInt32(Request.QueryString["uid"]);
       id = 1;

       con = new SqlConnection("integrated security=true; database=data1; server=sudhir-pc");
       con.Open();

       cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"', area='"+area1+"', propertytype='"+type1+"', users_id="+id+"", con);
       //  cmd1 = new SqlCommand("select frstname,laststname,contactno from users where users_id='"+id+"'", con);

       dr = cmd.ExecuteReader();

       while (dr.Read())
       {
           Label1.Text = (string)dr["price"];
           string area = (string)dr["area"];
           string image = (string)dr["imagename"];
           int id1 = (int)dr["users_id"];
       }
    }
}

Error line is dr=cmd.executereader();. Same query runs on sql server. can this kind of error be logical?

If it's a compile error please provide the full error text. If It's a run-time error please provide the full exception message along with inner exceptions and the stack trace. — Andrew Savinykh, Jun 17 '14 at 05:03
I guess, some of the parameters in the QueryStirng may be coming as blank — Typist, Jun 17 '14 at 05:06
my first thought here is that TSQL is a very specific language, and I believe it expects a space after a comma in a select statement like this. I don't think select `price,area,imagename`...... without spaces will work. — Claies, Jun 17 '14 at 05:08
[SQL Injection alert](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - you should **not** concatenate together your SQL statements - use **parametrized queries** instead to avoid SQL injection — marc_s, Jun 17 '14 at 05:09
@marc_s Agreed. Some majorly dangerous code here. The values come straight from the query string. — Joshua, Jun 17 '14 at 05:10
or more likely, there is a `,` in one of the variables? which ties in with @marc_s — Claies, Jun 17 '14 at 05:11

score 4 · Accepted Answer · edited May 23 '17 at 12:33

4

replace your comma's with and in your command.So,

cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"', area='"+area1+"', propertytype='"+type1+"', users_id="+id+"", con);

would become

cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"' and area='"+area1+"' and propertytype='"+type1+"' and users_id="+id+"", con);

A part from that, this is not the way how you should be doing it. You should always use Paremeterized queries. You can read the pros of that here and here.

edited May 23 '17 at 12:33

Community

1
1

answered Jun 17 '14 at 04:48

Ehsan

31,833
6
56
65

same error is coming and pissing me off can it be logical ? bt i dont think so – PATIL DADA Jun 17 '14 at 04:54
Well have you copied it exactly as i have suggested? is user_id an int? – Ehsan Jun 17 '14 at 05:30
@user2646803 if your problem solved Mark this answer as useful – Nagaraj S Jun 17 '14 at 06:41

Nagaraj S · Answer 2 · 2014-06-17T05:36:56.620

2

You have to use and after where condition not comma's

You are in SQL Injection attack..Always use paremeterized queries

cmd = new SqlCommand("select price,area,imagename,users_id from property where 
                       city=@city1 and area=@area1 and 
                       propertytype=@type1 and users_id=@id", con);
cmd.Parameters.AddWithValue("@city1",city1);
cmd.Parameters.AddWithValue("@area1",area1);
cmd.Parameters.AddWithValue("@type1",type1);
cmd.Parameters.AddWithValue("@id",id);
dr = cmd.ExecuteReader();

edited Jun 17 '14 at 05:36

answered Jun 17 '14 at 05:24

Nagaraj S

13,316
6
32
53

sir is that right way to pass information ? querystring ? – PATIL DADA Jun 17 '14 at 06:44
@user2646803 yeah you can use querystring – Nagaraj S Jun 17 '14 at 06:46

score 0 · Answer 3 · 2014-06-17T06:25:26.183

You can try this :

cmd = new SqlCommand("select price,area,imagename,users_id from property where city=@city and area=@area and propertytype=@proprtytype and users_id=@userid ", con);
cmd.Parameters.AddWithValue("@city", city1);
cmd.Parameters.AddWithValue("@area", area1);
cmd.Parameters.AddWithValue("@propertytype", type1);
cmd.Parameters.AddWithValue("@userid", id);

   //  cmd1 = new SqlCommand("select frstname,laststname,contactno from users where users_id='"+id+"'", con);

   dr = cmd.ExecuteReader();

Incorrect syntax near ',' error in asp.net?

3 Answers3