0

I'm getting an error on this line of code:

int records = (int)cmd.ExecuteScalar();

Error is:

Illegal variable name/ number

Complete code:

string strq = "select count(*) from groupmembers where group_members='" + txtgrpmem.Text + "'";
cmd = new OracleCommand(strq, Dbconn);
cmd.Parameters.AddWithValue("group_members", txtgrpmem.Text);

if (Dbconn.State == ConnectionState.Closed)
{
    Dbconn.Open();
}

int records = (int)cmd.ExecuteScalar();

if (records == 0)
{
}
else
{
}
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user
  • 67
  • 6
  • 3
    [SQL Injection alert](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - you should **not** concatenate together your SQL statements - use **parametrized queries** instead to avoid SQL injection - check out [Little Bobby Tables](http://bobby-tables.com/) – marc_s Sep 22 '18 at 07:40

2 Answers2

0

I believe your query needs to include group_members parameter like this:

    string strq = "select count(*) from groupmembers where group_members=:group_members";

Note: The parameter name is prefixed with colon (:)

Mohsin Mehmood
  • 4,156
  • 2
  • 12
  • 18
  • The leading `@` is for **SQL Server** - as far a I know, **Oracle** doesn't use that syntax – marc_s Sep 22 '18 at 07:51
0

The error is because you've used the parameter group_members with your OracleCommand but you haven't used the parameter in your query. Check here for Parameterised Query. Also, check in the link for OracleCommand.ParameterCheck

string strq = "select count(1) from groupmembers where group_members=:group_members";

using (OracleConnection Dbconn = new OracleConnection(CONNECTION_STRING))
{
   if (Dbconn.State == ConnectionState.Closed)
   {
      Dbconn.Open();
   }

   using (OracleCommand cmd = new OracleCommand(strq, Dbconn))
   {
       cmd.Parameters.AddWithValue("group_members", txtgrpmem.Text);

       int records = (int)cmd.ExecuteScalar();
   } 
}

Also, why using?

Hary
  • 5,690
  • 7
  • 42
  • 79