0

i develop a simple wcf application which connect with the mysql database when i try to get data from database with some condition it shows error .

Select query is:

string password = "123456";
string email = "pushpam@gmail.com"

openDatabase();
string query = "select email,password from BloobBank.bloodTable where email = "+email+" and password = "+password+";";
MySqlCommand cmd = new MySqlCommand(query, connection);                
MySqlDataReader mysqlreader = cmd.ExecuteReader();// this line gives error.

Error:

An exception of type 'MySql.Data.MySqlClient.MySqlException' occurred in MySql.Data.dll but was not handled in user code

Additional information: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com and password = 123456' at line 1

Rufus L
  • 36,127
  • 5
  • 30
  • 43
Pushpam Kumar
  • 82
  • 7
  • You should use parameters instead of building a query inline like that - you are open to SQL injection. See: [Bobby Tables](http://bobby-tables.com/) – Rufus L Apr 20 '17 at 00:25
  • @RufusL can you please give me some code. – Pushpam Kumar Apr 20 '17 at 00:26
  • To solve this, you probably need to add single quotes around your values: `where email = '" + email + "' and password = '" + password + "';";` – Rufus L Apr 20 '17 at 00:26
  • You should not normally create a SQL statement with string concatenation as it lead to SQL injections. Please use prepared sql statements instead. It will handle these kind of errors as well. Please refer https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare(v=vs.110).aspx –  Apr 20 '17 at 01:18

0 Answers0