C# : incorrect syntax near the keyword 'Table'

Question

I'm creating a login window in c# with SQL server following this guys tutorial https://www.youtube.com/watch?v=NX8-LhgFnUU

I did everything like he did but I get an error in my code when I debug the app and type username and password and click login. It brings me to code which is this code / screenshots:

Code:

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection sqlcon = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=E:\eAlati - 1366x768\FastFoodDemo\DB\logindb.mdf;Integrated Security=True;Connect Timeout=30");
    string query = "Select * from Table Where username = '" + txtUsername.Text.Trim() + "'and password = '" + txtPassword.Text.Trim() + "'";

    SqlDataAdapter sda = new SqlDataAdapter(query, sqlcon);
    DataTable dtbl = new DataTable();
    sda.Fill(dtbl);

    if(dtbl.Rows.Count == 1)
    {
        ucitavanje objUcitavanje = new ucitavanje();
        this.Hide();
        objUcitavanje.Show();
    }
    else
    {
        MessageBox.Show("Vaše korisničko ime ili lozinka nisu točni! Pokušajte ponovno");
    }
}

Thanks for understanding :)

Table is a reserved keyword in Sql Server (or practically in any database system) use square brackets around that name. _[Table]_ But after this simple error, I suggest you to read how to write parameterized queries. — Steve, Jan 05 '18 at 21:36
I would caution against a table named :"Table", use something more descriptive such as LoginUsers or some such. Also you open yourself up to SQL injection attacks with that SQL built from a string, use parameters there. — Mark Schultheiss, Jan 05 '18 at 21:38
Going along with the above comments: the name `table` is also a horrible name for a table. How often do you see files on disk called `file` or directories named `directory` or users named `user`? All poor choices. Use a descriptive name based on what you will be storing in the table. — Igor, Jan 05 '18 at 21:39
Again look at this QA https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work — Steve, Jan 05 '18 at 21:39
You also appear to be storing a password in plaintext in your database. That's a big security violation. Passwords should be one way hashed and salted, never stored in plaintext. — mason, Jan 05 '18 at 21:50
@mason it's for school competition so security violation doesn't matter, but thanks for the info :) — Zuriosmm, Jan 05 '18 at 21:59
You have to love University of YouTube "courses". The absolute minimum to get something limping along and none of the stuff you *need* to know — Ňɏssa Pøngjǣrdenlarp, Jan 05 '18 at 22:12
Even in school you should get in the habit of doing it the right way. Use parameterized queries. Even better would be to use stored procedures and don't put your query in the application at all. Since this is school it would be a great time to learn how to salt and hash passwords correctly. Either your professor would be thrilled that you did it or they are so clueless they wouldn't understand what you did. — Sean Lange, Jan 05 '18 at 22:25

score 1 · Answer 1 · answered Jan 05 '18 at 21:40

1

For the fix I put Table in square brackets like this [Table] this solved things :D

answered Jan 05 '18 at 21:40

Zuriosmm

15
4

4

The **much better** fix would be to use **more meaningful** names for your own database objects, and refrain from using such overly generic terms like `table`, `object`, `column` etc. .... – marc_s Jan 05 '18 at 21:47

C# : incorrect syntax near the keyword 'Table'

1 Answers1