0

Could someone point me in the right direction as to why this is happening?

Error Message

Here is my class in full:

public partial class _Default : Page
{
    OleDbConnection connection = new OleDbConnection(@"Provider = Microsoft.ACE.OLEDB.12.0; Data Source = C:\Users\micky\OneDrive\Documents\DataBase Connection Porject\DCNoms.accdb; Persist Security Info=False;");

    protected void Page_Load(object sender, EventArgs e)
    {
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        connection.Open();
        OleDbCommand command = connection.CreateCommand();
        DataTable table1 = new DataTable();
        OleDbDataAdapter da1 = new OleDbDataAdapter(command);
        command.CommandType = CommandType.Text;
        command.CommandText = "select * from DCNOMINATION where NOMINATION_NO = " + TextBox1.Text + "";
        command.ExecuteNonQuery();
        da1.Fill(table1);
        GridView1.DataSource = table1;
        GridView1.DataBind();
        connection.Close();
    }
}
Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Michael Braham
  • 23
  • 2
  • ⚠ [Little Bobby Tables](https://bobby-tables.com/) alert! – Uwe Keim Jul 27 '21 at 17:30
  • What Uwe is hinting to is: Please use parameterized queries. It will not only solve your problem (which could be solved in another unsecure way as well), it will more importantly also protect your application from injection attacks. – Christoph Sonntag Jul 27 '21 at 17:36
  • **Always use parameterized sql and avoid string concatenation** to add values to sql statements. This mitigates SQL Injection vulnerabilities and ensures values are passed to the statement correctly. See [How can I add user-supplied input to an SQL statement?](https://stackoverflow.com/q/35163361/1260204), and [Exploits of a Mom](https://xkcd.com/327/). – Igor Jul 27 '21 at 17:39
  • The difference between the answer in the marked duplicate and what you need to do is that you are using OleDb so the parameter names are `?` instead of `@parameterName` and your parameters are positional based so what you add to the list must occur in the statement in the same order. – Igor Jul 27 '21 at 17:41
  • which other way could it be solved? @Compufreak This will never see the light of day as it is apprenticeship work and i only need screenshots of my code and the results. I wish I was knowledgeable enough to apply the suggestions that I have been offered re. parameterzied queries but im struggling to understand it. – Michael Braham Jul 27 '21 at 18:29
  • If you already had the topic regarding query parameters in your courses you definitely should use those - otherwise the person you commit your results to will not be happy with your work. For the case you are absolutely sure you did not learn about it yet - have a look at an actual working query, compare it to the CommandText you see in the debugger and see what's wrong with it ;) Or if you do not know how to use the debugger yet, print command.CommandText to the console. – Christoph Sonntag Jul 27 '21 at 18:35
  • Examples of how to use parameters include: https://stackoverflow.com/a/28889774/1260204 and https://learn.microsoft.com/en-us/dotnet/api/system.data.oledb.oledbcommand.parameters?view=dotnet-plat-ext-5.0#examples. You should be able to rework your code with minimal effort to use parameterized queries. – Igor Jul 27 '21 at 18:36
  • My database course is at the end of august but I'm trying to get ahead of the work. I will try what you suggested but i'm unsure of either method tbh – Michael Braham Jul 27 '21 at 18:48
  • is this correct now? OleDbDataAdapter da1 = new OleDbDataAdapter(command); command.CommandType = CommandType.Text; command.CommandText = "select * from DCNOMINATION where NOMINATION_NO = ?"; command.Parameters.Add(TextBox1.Text); command.ExecuteNonQuery(); – Michael Braham Jul 28 '21 at 10:37
  • because it still give the same error – Michael Braham Jul 28 '21 at 10:37

0 Answers0