0

I can not understand where the error, I have another method that works properly it works the same way. It could be the 'WHERE' statement the problem?

Method that generates the exception:

public string[] GetData(string name, string surname)
{
        customerInformation = new List<string>();

        Connection();

        string sqlQuery = "SELELCT " +
            "Nome, " +
            "Cognome, " +
            "Giorno_Nascita, " +
            "Mese_Nascita, " +
            "Anno_Nascita, " +
            "Luogo_Nascita, " +
            "Residenza, " +
            "Provincia_Residenza, " +
            "Indirizzo_Residenza, " +
            "Civico_Residenza, " +
            "Domicilio, " +
            "Provincia_Domicilio, " +
            "Indirizzo_Domicilio, " +
            "Civico_Domicilio, " +
            "Mail, " +
            "Telefono_Fisso, " +
            "Telefono_Mobile, " +
            "Fax, " +
            "Codice_Fiscale " +
            "FROM DatiClienti WHERE Nome LIKE " + name + " AND Cognome LIKE " + surname + "'";

        dbCommand = new SqlCommand(sqlQuery, dbConnection);
        dbReader = dbCommand.ExecuteReader(); **//Exception Here**

        if(dbReader.HasRows)
        {
            while(dbReader.Read())
            {
                customerInformation.Add(dbReader["Nome"].ToString());
                customerInformation.Add(dbReader["Cognome"].ToString());
                customerInformation.Add(dbReader["Giorno_Nascita"].ToString());
                customerInformation.Add(dbReader["Mese_Nascita"].ToString());
                customerInformation.Add(dbReader["Anno_Nascita"].ToString());
                customerInformation.Add(dbReader["Luogo_Nascita"].ToString());
                customerInformation.Add(dbReader["Residenza"].ToString());
                customerInformation.Add(dbReader["Provincia_Residenza"].ToString());
                customerInformation.Add(dbReader["Indirizzo_Residenza"].ToString());
                customerInformation.Add(dbReader["Civico_Residenza"].ToString());
                customerInformation.Add(dbReader["Domicilio"].ToString());
                customerInformation.Add(dbReader["Provincia_Domicilio"].ToString());
                customerInformation.Add(dbReader["Indirizzo_Domicilio"].ToString());
                customerInformation.Add(dbReader["Civico_Domicilio"].ToString());
                customerInformation.Add(dbReader["Mail"].ToString());
                customerInformation.Add(dbReader["Telefono_Fisso"].ToString());
                customerInformation.Add(dbReader["Telefono_Mobile"].ToString());
                customerInformation.Add(dbReader["Fax"].ToString());
                customerInformation.Add(dbReader["Codice_Fiscale"].ToString());
            }
        }
        else
        {
            MessageBox.Show("Non ci sono dati per questo cliente.");
        }

        dbReader.Close();
        Disconnect();

        return customerInformation.ToArray();
    }

And this is the method working properly:

public List<string> GetSearchableData()
    {
        Connection();

        customerName = new List<string>();

        string sqlQuery = "SELECT * FROM DatiClienti";
        dbCommand = new SqlCommand(sqlQuery, dbConnection);
        dbReader = dbCommand.ExecuteReader();

        if(dbReader.HasRows)
        {
            while(dbReader.Read())
            {
                string name = dbReader.GetString(1);
                string surname = dbReader.GetString(2);

                customerName.Add(name + " " + surname);
            }
        }

        return customerName;
    }

How can I fix this?

Thanks in advance.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Trese
  • 133
  • 1
  • 1
  • 13
  • 2
    Google Prepared Statements – juergen d Apr 16 '17 at 10:06
  • 3
    You have a problem with the `'` in the `like` : `Cognome LIKE " + surname + "'`.. but really - instead of fixing it look up parameterized queries. This code is susceptible for sql injections – Gilad Green Apr 16 '17 at 10:07
  • 1
    Read this question carefully http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work – Steve Apr 16 '17 at 10:13
  • Thanks for fast reply, how can I avoid injections? There is any guide? – Trese Apr 16 '17 at 10:15
  • 2
    Regarding "prepared statements" (aka "parameterized queries"), in ADO.NET it basically comes down to using `SqlParameter`s: add them to your `SqlCommand` via `sqlCommand.Parameters.Add(new SqlParameter("@cognome", SqlDbType.…) { [Sql]Value = … })`, then refer to them by name inside the statement text, e.g. `… WHERE Cognome LIKE @cognome …`). Plenty of questions about that on SO! – stakx - no longer contributing Apr 16 '17 at 10:26

1 Answers1

3

You have 2 syntax problems as pointed out in the comments and several design issues.

Syntax Issues

  1. Syntax issue - SELECT, not SELELCT
  2. The LIKE parameters should be surrounded with single quotes.

Design Issues

ADO.NET

To fix your actual design you need to scrap your DAL or redesign it. Just use the ADO.NET types directly instead of trying to encapsolute them OR find a solution on GitHub that has been tested and user community approved. If you can use an ORM instead to completely remove your need on using ADO.NET directly.

Also do not reuse database connections across your application, it is best to keep these short lived so use it and dispose it. Do this with using statements.

Types

Use types, you are now treating everything as string which is very bad practice as not everything is a string. Return a new Client type, not a list of strings. Make sure the Client type has properties of the correct type like DateTime for date of birth (for example).

Code Fix

Client client = null;

string sqlQuery = "SELECT Nome, Cognome, Giorno_Nascita, Mese_Nascita, Anno_Nascita, Luogo_Nascita, Residenza, Provincia_Residenza, Indirizzo_Residenza, Civico_Residenza, Domicilio, Provincia_Domicilio, Indirizzo_Domicilio, Civico_Domicilio, Mail, Telefono_Fisso, Telefono_Mobile, Fax, Codice_Fiscale " +
"FROM DatiClienti " +
"WHERE Nome LIKE  @name AND Cognome LIKE  @surname";

using (SqlConnection con = new SqlConnection("Your Connection, ideally from an app.config"))
using (SqlCommand cmd = new SqlCommand(sqlQuery, con))
{
    con.Open();
    cmd.Parameters.Add(new SqlDbParameter("@name", SqlDbType.VarChar, 200){Value = name}); // specify the correct DbType and Length
    cmd.Parameters.Add(new SqlDbParameter("@surname", SqlDbType.VarChar, 200){Value = surname}); // specify the correct DbType and Length
    using(var reader = cmd.ExecuteReader())
    {
        if(dbReader.Read())
        {
            client = new Client();
            client.Nome = reader.GetString(0);
            client.Cognome = reader.GetString(1);
            client.GiornoNascita = reader.GetString(2);
            client.MeseNascita = reader.GetString(3);
            // etc
        }
    }
}
return client;
Graham
  • 7,431
  • 18
  • 59
  • 84
Igor
  • 60,821
  • 10
  • 100
  • 175