-1

edit: I'm aware of SQL Injection.

First of all, I know my coding methods are terrible but thats what I can for now, extremely beginner on c#.

I'm trying to read data from SQL server and show them on Textboxes. User going to write (and choose from cmbbox) some data on;

cmbIl.Text, cmbIlce.Text, cmbMahalle.Text, txtAda.Text, txtPafta.Text

and press the button for search.

If that data correspond to the values in sql database (true), some other data will be taken and shown at

txtTapuKodu.Text, txtPafta.Text, txtTapuAlani.Text, txtNitelik.Text, rtxtImarDurumu.Text

But the code below gives that error:

System.Data.SqlClient.SqlException: 'Incorrect syntax near ','.'

 private void btnSorgula_Click(object sender, EventArgs e)
        {
            string source = @"Data Source=YAGIZ-PC;Initial Catalog=imar_sorgu;Integrated Security=True";
            SqlConnection con = new SqlConnection(source);
            con.Open();

            string sqlSelectQuery = "SELECT * FROM tablo_arsa WHERE il = '" + cmbIl.Text + "', ilce = '" + cmbIlce.Text + "', mahalle = '" + cmbMahalle.Text + "', ada = '" + txtAda.Text + "', parsel = '" + txtParsel.Text + "'";

            /* string sqlSelectQuery2 = "SELECT * FROM tablo_arsa WHERE ilce ='" + cmbIlce.Text + "'";
            string sqlSelectQuery3 = "SELECT * FROM tablo_arsa WHERE mahalle ='" + cmbMahalle.Text + "'";
            string sqlSelectQuery4 = "SELECT * FROM tablo_arsa WHERE ada = " + txtAda.Text;
            string sqlSelectQuery5 = "SELECT * FROM tablo_arsa WHERE parsel = " + txtParsel.Text; */

            SqlCommand cmd = new SqlCommand(sqlSelectQuery, con);
            SqlDataReader dr = cmd.ExecuteReader();
            if (dr.Read())
            {
                txtTapuKodu.Text = (dr["tapu_kodu"].ToString());
                txtPafta.Text = (dr["pafta"].ToString());
                txtTapuAlani.Text = (dr["tapu_alani"].ToString());
                txtNitelik.Text = (dr["nitelik"].ToString());
                rtxtImarDurumu.Text = (dr["imar_durumu"].ToString());

                MessageBox.Show("İstek başarıyla okundu.");

            }
            else
            {

                MessageBox.Show("Okuma başarısız.");
            }
            con.Close();
        }
Yagiz
  • 43
  • 4
  • Read about sql injection before allowing users to place their strings into your sql – Gleb Dec 03 '19 at 21:23
  • [Here](https://stackoverflow.com/q/13573380/10293483), take a look at this solution. It's better not to concatenate your sql query. Just use parameters and you won't get these errors. – Gleb Dec 03 '19 at 21:29

1 Answers1

-1

The problem is that your where clause contains commas between the predicates. use AND instead.

change:

    string sqlSelectQuery = "SELECT * FROM tablo_arsa WHERE il = '" + cmbIl.Text + "', ilce = '" + cmbIlce.Text + "', mahalle = '" + cmbMahalle.Text + "', ada = '" + txtAda.Text + "', parsel = '" + txtParsel.Text + "'";

to:

    string sqlSelectQuery = "SELECT * FROM tablo_arsa WHERE il = '" + cmbIl.Text + "' AND ilce = '" + cmbIlce.Text + "' AND mahalle = '" + cmbMahalle.Text + "' AND ada = '" + txtAda.Text + "' AND parsel = '" + txtParsel.Text + "'";

However, PLEASE read about SQL INJECTION. It is a very bad security issue and this is a perfect example.

Jim Reineri
  • 2,830
  • 3
  • 31
  • 32
  • Thank you for help and advice. It worked. I appreciate it. – Yagiz Dec 03 '19 at 21:41
  • Not sure of the reason for the down vote. I can guess. True that I did not provide a parameterized query example. Also, did not mention that 'select *' should be avoided in code. However, both of those issues are out of the scope of the question. And, I did strongly suggest studying up on sql injection. – Jim Reineri Dec 10 '19 at 19:50