C# Syntax error (missing operator) in query expression

Question

I receive this error on cmd.ExecuteNonQuery()... I think I am wrong on cmd.CommandText...

Syntax error (missing operator) in query expression 'Nr_Crt='1' and Varsta '3' and KG '2' and Specie 'Iepure' and Risc'Nu' and Tip1 'Diurn' and Tip2 'Carnivor''.

    private void button2_Click_1(object sender, EventArgs e)
        {
            if (txtNr_Crt.Text != " " & txtVarsta.Text != " " & txtKG.Text != " " & txtSpecie.Text != " " & txtRisc.Text != " " & txtTip1.Text != " " & txtTip1.Text != " " & txtTip2.Text != "")
            {

                cn.Open();
                cmd.CommandText = "DELETE from Animale Where Nr_Crt='" + txtNr_Crt.Text + "' and Varsta '" + txtVarsta.Text + "' and KG '" + txtKG.Text + "' and Specie '" + txtSpecie.Text + "' and Risc'" + txtRisc.Text + "' and Tip1 '" + txtTip1.Text + "' and Tip2 '" + txtTip2.Text + "'";
                cmd.ExecuteNonQuery();
                cn.Close();

                loaddata();

                txtNr_Crt.Text = "";
                txtVarsta.Text = "";
                txtKG.Text = "";
                txtSpecie.Text = "";
                txtSex.Text = "";
                txtRisc.Text = "";
                txtTip1.Text = "";
                txtTip2.Text = "";
            }
        }

Hello SQL injection! And you are missing the `=` from the rest of the query — DGibbs, Dec 05 '13 at 12:24
Please use parameterized queries. This kind of string concatenations are open for SQL Injection attacks. — Soner Gönül, Dec 05 '13 at 12:25

score 1 · Answer 1 · answered Dec 05 '13 at 12:34

1

You code is vulnerable to SQL injection, i'd fix that.

The issue is that you are missing the = from each of your subsequent and's:

cn.Open();

cmd.Parameters.AddWithValue("@Nr_Crt", txtNr_Crt.Text);  
cmd.Parameters.AddWithValue("@Varsta", txtVarsta.Text);  
cmd.Parameters.AddWithValue("@KG", txtKG.Text);  
cmd.Parameters.AddWithValue("@Specie", txtSpecie.Text);  
cmd.Parameters.AddWithValue("@Risc", txtRisc.Text);  
cmd.Parameters.AddWithValue("@Tip1", txtTip1.Text);  
cmd.Parameters.AddWithValue("@Tip2", txtTip2.Text);  
cmd.CommandText = "DELETE from Animale Where Nr_Crt= @Nr_Crt and Varsta = @Varsta and KG = @KG and Specie = @Specie and Risc = @Risc and Tip1 = @Tip1 and Tip2 = @Tip2";

cmd.ExecuteNonQuery();
cn.Close();

This should fix it (and the SQL injection risk)

answered Dec 05 '13 at 12:34

DGibbs

14,316
7
44
83

Fixed, but not delete anything from database, and listbox. – user3061587 Dec 05 '13 at 12:46
You probably have other issues with your code, are you rebinding the listbox? Put the code in a try/catch block, does it throw any exceptions? – DGibbs Dec 05 '13 at 12:49
I have an listbox for every Parameter and when I select first Paramater from first listbox, it`s select all first Paramaters and I want to delete all, or first line. – user3061587 Dec 05 '13 at 12:54

score 0 · Answer 2 · answered Dec 05 '13 at 12:25

Your query is wrong. You are missing = when comparing the columns

cmd.CommandText = "DELETE from Animale Where Nr_Crt='" + txtNr_Crt.Text + "' and Varsta='" + txtVarsta.Text + "' and KG='" + txtKG.Text + "' and Specie='" + txtSpecie.Text + "' and Risc='" + txtRisc.Text + "' and Tip1='" + txtTip1.Text + "' and Tip2='" + txtTip2.Text + "'";

score 0 · Answer 3 · edited Dec 26 '16 at 23:27

0

foreach(Control ctrl in this.Controls)
{
    if (ctrl is TextBox)
    {
      ctrl.text="";
    }
}

For cleaning all textbox at once :) you can create a Method that performs it when you need it

edited Dec 26 '16 at 23:27

Jay Harris

9,935
1
26
27

answered Dec 26 '16 at 22:46

Carlos Martinez

1
1

C# Syntax error (missing operator) in query expression

3 Answers3