-1

The following error is occurring when i run my code below. I am running a user registration page with details such as first name, last name, user name, password ect. "ID" is my primary key. Error: "An exception of type 'System.ArgumentException' occurred in System.Data.dll but was not handled in user code Additional information: Format of the initialization string does not conform to specification starting at index 0."

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Data.SqlClient;
using System.Data;


namespace WebApplication_Assignment
{
    public partial class User_Registration_WebForm : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button_SubmitUserReg_Click(object sender, EventArgs e)
        {
            //Response.Write("Your registration is successful");

            string sql = "SELECT * from User_Table where User_Name = @username";

            using (SqlConnection connection = new SqlConnection("ConnectionString"))
            using (SqlCommand command = new SqlCommand(sql, connection))
{
    var userParam = new SqlParameter("username", SqlDbType.VarChar);
    userParam.Value = TextBox_UserName.Text;

    command.Parameters.Add(userParam);

    var results = command.ExecuteReader();
}
sullkid16
  • 1
  • 1
  • 4
  • why is your error logging code commented out? Let's see the actual exception msg please...Also: Don't concatenate strings: use parameters – Mitch Wheat Nov 21 '16 at 00:26
  • I have errors with the error logging code so removed it to move on with the rest of the code, these are the errors for that:error CS1519: Invalid token 'catch' in class, struct, or interface member declaration, error CS1002: ; expected, error CS1519: Invalid token '(' in class, struct, or interface member declaration, error CS0116: A namespace cannot directly contain members such as fields or methods. – sullkid16 Nov 21 '16 at 00:40
  • Here is the full error when I comment out the error logging code, An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code Additional information: Incorrect syntax near 'Sullivan'. Unclosed quotation mark after the character string ')'. – sullkid16 Nov 21 '16 at 00:45
  • P.S I do not know how to use parameters, help/advice there if you think the code would be more efficient I would really appreciate! – sullkid16 Nov 21 '16 at 00:47
  • Hey Mitch, I have edited the code and hopefully using the parameters correctly for my project. Does it matter that I have username first even though ID is my primary key in the first column of my table? – sullkid16 Nov 21 '16 at 16:17

1 Answers1

0

Because you are not using parameters, you have a surname (lastname) that is almost certainly "O'Sullivan" See that single quote; it is causing the TSQL statement to be improperly formed.

If you concatenate strings you run into problems like this and open yourself up to SQL Injection attacks. Always use parameters.

Here's a simple example:

string sql = "SELECT * from employee where username = @username";

using (SqlConnection connection = new SqlConnection("connection string")
using (SqlCommand command = new SqlCommand(sql, connection))
{
    var userParam = new SqlParameter("username", SqlDbType.VarChar);
    userParam.Value = txtUsername.Text;

    command.Parameters.Add(userParam);

    var results = command.ExecuteReader();
}

There are numerous references to SQL Injections attacks on SO. Here's one example:

Why do we always prefer using parameters in SQL statements?

Mitch Wheat
  • 295,962
  • 43
  • 465
  • 541