-2
string constring = "datasource=127.0.0.1;port=3306;username=user;password=pass;database=raw_data";
string Query = "SELECT * FROM data WHERE symbol='" + textBox1.Text + "';";
try
{
    MySqlConnection connDataBase = new MySqlConnection(constring);
    MySqlCommand cmd = new MySqlCommand(Query,connDataBase);
    connDataBase.Open();
    MySqlDataReader reader = cmd.ExecuteReader();

I tried to change it many times but unsuccessfully and looked for a soloution which was not found.

Dave Zych
  • 21,581
  • 7
  • 51
  • 66
kipatbarzel1
  • 35
  • 1
  • 4
  • 2
    what line is this error being thrown? what is the stack trace? are you familiar with sql injection http://stackoverflow.com/questions/601300/what-is-sql-injection? – Kritner Sep 16 '15 at 19:20
  • Change the query use cmd.Parameters... – MethodMan Sep 16 '15 at 19:20

1 Answers1

0

Well, you have quite a few issues:

  • MySQL does not use an argument datasource in the connection string. Perhaps server?
  • We cannot tell what will happen with the string in the query variable since we don't know the contents of the text box. You should show us the contents of that variable after the concatenation.
  • Performing string concatenation to produce SQL as you are doing is both error prone (what happens if there's a single quote character in the string) and dangerous (someone can exploit the difficulty to push random SQL into your database). You should read about parameterized SQL queries which are easy to construct and safer to use.
  • The variable name Query is not a good one as it's mis-cased and may well conflict with a class name.
  • The name data is dangerous for a table and symbol likewise for a column name as they may well conflict with reserved words. If you must use them, enclose them in the proper identifier quotes for your database.
Larry Lustig
  • 49,320
  • 14
  • 110
  • 160