1

I am using following code: 

string str = "ID = 15";

using (SqlCommand cmd = new SqlCommand("SELECT * " + 
                                       "FROM Cutomer" + 
                                       " Where (Status='Umbruch') and '"+str+"' " , con))

I am getting this error: 

near 'ID = 15' is a non boolean expression specified in a context where a condition is expected.

I know I can use the above code like this:

int id = 15; 

using (SqlCommand cmd = new SqlCommand("SELECT * " + 
                                       "FROM Cutomer" + 
                                       " Where (Status='Umbruch') and (ID='"+str+"')" , con))

It works fine like this but I want to use it as mentioned in first code above. Because the number of IDs is not fixed they can be 2,3 or more. Just for simplicity I put my code here like this.

Improve this question
5
  • Because the right usage of this ID = '15' not 'ID = 15' ? Commented Dec 17, 2013 at 15:20
  • 1
    You have a SQL injection vulnerability. Commented Dec 17, 2013 at 15:20
  • Can you explain if the ID field is text or numeric? Commented Dec 17, 2013 at 15:23
  • @Steve ID field is numeric Commented Dec 17, 2013 at 15:34
  • Then you don't need single quotes anywhere in your string used for the where clause. But I repeat again, keep yourself save and use a parameterized query Commented Dec 17, 2013 at 15:36

3 Answers 3

Reset to default
1

The first version should be (from your second "working" query, you need simple quotes around 15, not around the entire expression).

str = "ID = '15'";

using (SqlCommand cmd = new SqlCommand("SELECT * " + 
                                       "FROM Cutomer" + 
                                       " Where (Status='Umbruch') and "+str , con))

By the way, you should user Parameters, not direct strings.

If you need an IN clause, you may look at that question

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

A simple error, do not put single quotes before and after the string

using (SqlCommand cmd = new SqlCommand("SELECT * FROM Cutomer " + 
                                       "WHERE (Status='Umbruch') AND " + str , con))

of course this assumes that your ID field is numeric and not a text field.
In the latter case you should put the single quotes around the 15 constant

string str = "ID = '15'";

As a side note, keep in mind that string concatenation is really dangerous because your code could be exploited with a simple Sql Injection attack. In this very specific case there is no possibility for injection.

If you receive the ID to search for from a user input, do not use string concatenation to build sql commands. Instead use a parameterized query

 using (SqlCommand cmd = new SqlCommand("SELECT * FROM Cutomer " + 
                               " Where (Status='Umbruch') and ID=@custID" , con))
 {
      cmd.Parameters.AddWithValue("@custID", 15);
      ......
 }
Improve this answer

Comments

0

You're making it a literal here:

using (SqlCommand cmd = new SqlCommand("SELECT * " + 
                                       "FROM Cutomer" + 
                                       " Where (Status='Umbruch') and '"+str+"' " , con))

It should be:

using (SqlCommand cmd = new SqlCommand("SELECT * " + 
                                       "FROM Cutomer" + 
                                       " Where (Status='Umbruch') and "+str, con))

Note the slight difference in which the ' were removed.

Further, please read through my blog post on why you're open to SQL injection and why you need to leverage parameterized SQL instead of raw SQL.

Improve this answer

3 Comments

@SLaks: Are you referring to the fact that the str should be ID = '15'? Which would only be true if the key were in fact a VARCHAR yes? In other words ID = 15 wouldn't work if the key were a VARCHAR, but either would work if it were an INT.
@MichaelPerrenoud It not working like this I am having a syntax error, at + strr +, con)). The error is: invalid expression term ','
@Kami, is it the extraneous + after the str variable that I missed on my first edit?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.