CSHTML - SQL QUERY....WHERE NAME=@NameOne

Question

I'm using ASP.NET Razor.

<form style="display:inline" name="formular1" method="post" action="default.cshtml">
                           <select name="phone1" class="dropdown">
                            @foreach(var row in db.Query("SELECT * FROM Handy")){
              <option value="@row.Handyname">@row.Handyname</option>
            }
                                        </select>
        vs.
                           <select name="phone2" class="dropdown">
                                            @foreach(var row in db.Query("SELECT * FROM Handy")){
              <option value="@row.Handyname">@row.Handyname</option>
            }
                                        </select>
        <input type="submit"/ value="Compare">
        </form>
        @{
            var phoneOne = "";
            var phoneTwo = "";
                    if(IsPost){

                        // request input of the select forms
                        phoneOne = Request["phone1"];
                        phoneTwo = Request["phone2"];  
                    }
                }                                     
    </div>

    <div class="content">
        <div class="start"> 
            <p><h2>@phoneOne</h2></p>
            <ul>
            @{
                if(IsPost){
                    foreach(var row in db.Query("SELECT * FROM Handy WHERE Handyname=@phoneOne")){
              <li>processor: @row.Prozessor GHz</li>
                <li>memory: @row.RAM MB Ram</li>
                <li>weight: @row.Gewicht g</li>
                <li>display: @row.Display ''</li>
                <li>OS: @row.OS</li>
            }
                }
            }


            </ul>
        </div>

Getting an error with the query: WHERE Handyname=@phoneOne ...leaving it out all works fine. What am I doing wrong?

Thanks:)!

What is the error? SQL error, or Razor? – GalacticCowboy Jul 22 '11 at 23:32 — GalacticCowboy, Jul 22 '11 at 23:32

score 1 · Answer 1 · answered Jul 22 '11 at 22:50

1

Not very sure, but I think you need to replace this:

foreach(var row in db.Query("SELECT * FROM Handy WHERE Handyname=@phoneOne"))

With this:

foreach(var row in db.Query("SELECT * FROM Handy WHERE Handyname= " + phoneOne))

answered Jul 22 '11 at 22:50

goenning

6,514
1
35
42

1

If you take that route, you will need to be very careful to prevent [SQL injection attacks](http://en.wikipedia.org/wiki/SQL_injection). – Rick Liddle Jul 22 '11 at 23:54

score 1 · Answer 2 · edited May 23 '17 at 11:55

1

As described here, try the following:

foreach(var row in db.Query("SELECT * FROM Handy WHERE Handyname=@@phoneOne")){

edited May 23 '17 at 11:55

Community

1
1

answered Jul 22 '11 at 23:51

Rick Liddle

2,684
19
31

score 0 · Answer 3 · answered Sep 16 '11 at 01:52

Is db a reference to the database component in Razor? If so, it uses @0, @1, (indexes) not named parameters instead.

foreach(var row in db.Query("SELECT * FROM Handy WHERE Handyname=@0"))

And pass in the value through the collection of parameters in that method too.

CSHTML - SQL QUERY....WHERE NAME=@NameOne

3 Answers3