Hello I have this SQL query:
SQL = "SELECT SUM( " + "CASE WHEN rn =1" + "THEN v.FirstAmount"
+ "WHEN rn =2" + "THEN v.SecondAmount " + "ELSE v.ThirdAmount " + "END ) "
+ "FROM (" + "SELECT cv. * , @rn := IF( @vi = `Violation ID` , @rn +1, 1 ) AS rn,
@vi := `Violation ID` " + "FROM class_violation cv" + "CROSS JOIN ("
+ "SELECT @rn :=0, @vi := ''" + ")CONST" + "ORDER BY `Violation ID`" + ")cv"
+ "JOIN violation v ON cv.`Violation ID` = v.`Violation ID` "
+ "JOIN class_record tr ON cv.`Class No.` = tr.`Class No.` "
+ "WHERE tr.`Class ID` = '" + where + "'";
And I get this error:
MySql.Data.MySqlClient.MySqlException: Fatal Error encountered during
command execution ---> MySql.Data.MySqlClient.MySqlException: Parameter
'@rn' must be defined
at
MySql.Data.MySqlClient.Statement.SerializeParameter(MySqlParameterCollection
parameters, MySqlPacket packet, String parmName, Int32 parameterIndex)
at MySql.Data.MySqlClient.Statement.InternalBindParameters(String sql,
MySqlParameterCollection parameters,MySqlPacket packet)
How would I correct my SQL query and define the parameter?
C#code? Are you providingvaluefor allParametersincluding@rn?"WHERE tr.``Class ID`` = '" + where + "'"is open to SQL injection, for example.