-1

Hello I got the error:

Token unknown - line 1, char 74

when I try to make a query with sql injection,without parameter I don't have any problem, here is the code:

  DbProviderFactory   factory= DbProviderFactories.GetFactory("Borland.Data.AdoDbxClient");

        IDbConnection c = factory.CreateConnection();
        c.ConnectionString = "DriverName=Interbase;Database=....;RoleName=RoleName;User_Name=...;Password=......;SQLDialect=1;MetaDataAssemblyLoader=Borland.Data.TDBXInterbaseMetaDataCommandFactory,Borland.Data.DbxReadOnlyMetaData,Version=11.0.5000.0,Culture=neutral,PublicKeyToken=91d62ebb5b0d1b1b;GetDriverFunc=getSQLDriverINTERBASE;LibraryName=dbxint30.dll;VendorLib=GDS32.DLL";
        c.Open();

        IDbCommand cmd = c.CreateCommand();
        cmd.CommandText = @"SELECT ID,NAME FROM USERS  WHERE UPPER(NAME) = @NAME ORDER BY ID";
        cmd.Connection = c;

        IDbDataParameter p = cmd.CreateParameter();
        p.ParameterName = "@NAME";
        p.DbType = DbType.String;
        p.Size = 15;
        p.Value = "test_spring";
        cmd.Parameters.Add(p);

        IDataReader myreader = cmd.ExecuteReader();

        DataTable dt = new DataTable();

        int fieldCount = myreader.FieldCount;
        for (int i = 0; i < fieldCount; i++)
        {
            dt.Columns.Add(myreader.GetName(i), myreader.GetFieldType(i));
        }
        while (myreader.Read())
        {
            object[] values = new object[fieldCount];
            myreader.GetValues(values);
            DataRow dataRow = dt.Rows.Add(values);
            // We should not AcceptChangesDuringFill to avoid multiple data row versions
        }

        dt.EndLoadData();

Stack Trace: 

[TAdoDbxException (0x65): Token unknown - line 1, char 4
TERM]
   Borland.Data.TAdoDbxProviderFactory.AdoDbxException(TDBXError DBXError) +34
   Borland.Data.TDBXContext.Error(Int32 ErrorCode, String ErrorMessage) +66
   Borland.Data.TDBXMethodTable.RaiseError(TDBXContext DBXContext, Int32 DBXResult, IntPtr DBXHandle, String AdditionalInfo) +288
   Borland.Data.TDBXDynalinkCommand.CheckResult(Int32 DBXResult) +33
   Borland.Data.TDBXDynalinkCommand.DerivedPrepare() +63
   Borland.Data.TDBXCommand.Prepare() +66
   Borland.Data.TDBXCommand.CommandExecuting() +54
   Borland.Data.TDBXCommand.ExecuteQuery() +72
   Borland.Data.TDBXMorphicCommand.ExecuteQuery() +23
   Borland.Data.TAdoDbxCommand.ExecuteDbDataReader(CommandBehavior Behavior) +57
   System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +10
   WebApplication1._Default.Page_Load(Object sender, EventArgs e) in C:\Users\ntaskas\Documents\Visual Studio 2008\Projects\WebApplication1\WebApplication1\Default.aspx.cs:43
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnLoad(EventArgs e) +99
   System.Web.UI.Control.LoadRecursive() +50
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627

Plz I want to finish a project! Any idea??

Val Marinov
  • 2,705
  • 17
  • 22
George Ntaskas
  • 1
  • 3

1 Answers1

0

You forgot to set CommandType for IDbCommand cmd and also, I changed the name of parameterized variable. 

    using (DbCommand cmd = c.CreateCommand())
    {
       cmd.CommandText = @"SELECT ID, NAME FROM USERS WHERE UPPER(NAME) = @name ORDER BY ID";
       cmd.Connection = c;
       cmd.CommandType = CommandType.Text

       IDbDataParameter p = cmd.CreateParameter();
       p.ParameterName = "@name";
       p.DbType = DbType.String;
       p.Size = 15;
       p.Value = "test_spring";
       cmd.Parameters.Add(p);
    }
Rupa Mistry
  • 363
  • 3
  • 9