3

I need to use the following query in my C# code:

SELECT AVG(Percent) 
From Table1
Where code Like "Sport" and Year Like"2011" and Sitting Like"June";

I did it like this:

"SELECT AVG(Percentage) FROM MasterTable WHERE Code LIKE " + comboBoxSubject.Text +
"AND Year LIKE "+dateTimePicker1 +" AND Sitting LIKE June"

but i get an exception probably because the parameters are extracted from different controls and are not placed in inverted commas.

Can anyone help me ?

ANSWER

That is the query that worked for me:

"SELECT AVG(Percent) FROM MasterTable WHERE Code LIKE '" + comboBoxSubject.Text + "' AND Year LIKE '" + dateTimePicker1.Value.Year + "' AND Sitting LIKE 'June'"
Improve this question
4
  • What exception do you get? And wjhat is dateTimePicker1? Shouldn't you use somthing like dateTimePicker1.Value? Commented Jan 8, 2013 at 19:53
  • 3
    potential sql inyection detected Commented Jan 8, 2013 at 19:53
  • 2
    Keep in mind you're leaving yourself wide open for a SQL injection attack with that code, be sure to switch to using SqlParameter (msdn.microsoft.com/en-us/library/yy6y35y8(v=VS.80).aspx) An example (stackoverflow.com/questions/2701506/…) Commented Jan 8, 2013 at 19:54
  • Your original SQL is also incorrect. Commented Jan 8, 2013 at 20:00

5 Answers 5

Reset to default
5

Supposing you use SQLite, because you don't mention any database. This is how you can avoid SQL injection.

var selectCommand = new SQLiteCommand("@SELECT AVG (PERCENT) 
                                       FROM TABLE1
                                       WHERE CODE LIKE @sport AND YEAR LIKE @year AND SITTING LIKE @month");
selectCommand.Parameters.AddWithValue("@sport", sportParameter);
selectCommand.Parameters.AddWithValue("@year", yearParameter);
selectCommand.Parameters.AddWithValue("@month", monthParameter);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

There are three problems.

  • There's no space after the code value and AND
  • There are missing single quotes between values
  • The wildcard symbol (%) is missing from the SQL LIKE statements

It depends what kind of project you are working on but often I find it is much easier to spot syntax errors and missing spaces by printing the end query out. For example, below is a console application that does this.

static void Main(string[] args)
{
    const string code = "Sport";
    const string year = "2011";
    Console.WriteLine("SELECT AVG(Percentage) FROM MasterTable WHERE Code LIKE '%" + code + "%' AND Year LIKE '%" + year + "%' AND Sitting LIKE '%June%'");
}
Improve this answer

Comments

1

Use single quotes for character fields.

"SELECT AVG(Percentage) FROM MasterTable WHERE Code LIKE '" + comboBoxSubject.Text +
        "' AND Year LIKE '" + dateTimePicker1 + "' AND Sitting LIKE 'June'"
Improve this answer

Comments

1

Use % and ' and please consider to use parameters:

SELECT AVG(Percentage) FROM MasterTable WHERE (Code LIKE '%' + @text + '%')
Improve this answer

Comments

0 
MySqlCommand cmd = new MySqlCommand("SELECT Employee_No, Image, Last_Name, First_Name, Middle_Name, Suffix, Sex, Birthdate, Contact_No, Address, Username FROM user_tbl WHERE Employee_No LIKE '%" + searchemployeeno + "%' OR Last_Name LIKE '%" + searchemployeeno + "%' ", SQLConn.conn);
Improve this answer

1 Comment

While this code may answer the question, providing additional context regarding how and/or why it solves the problem would improve the answer's long-term value.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.