1

I'm new to SQL and visual studio etc. but I've changed something that isn't allowing me to login to my application. Whenever I press the login button I get this error

Incorrect syntax near the keyword 'from'

Here is where the source may be;

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

namespace RockPaperApp
{
  public partial class WebForm1 : System.Web.UI.Page
  {
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Session["New"] != null)
        {
            Response.Redirect("/Game.aspx");
        }
    }

    protected void RegButton_Press(object sender, EventArgs e)
    {
        Response.Redirect("/Register.aspx");
    }

    protected void LogButton_Press(object sender, EventArgs e)
    {
        string username = UsernameLogTxt.Text;

        try
        {
            string conn = ConfigurationManager.ConnectionStrings["UserConS"].ToString();
            string CommandText = "pword from data Username=@username";

            using (SqlConnection connection = new SqlConnection(conn.ToString()))
            using (SqlCommand command = new SqlCommand(CommandText, connection))
            {
                command.Parameters.AddWithValue("@username", username);
                connection.Open();

                using (SqlDataReader reader = command.ExecuteReader())
                {
                    while (reader.Read())
                    {
                        string realpass = reader[0].ToString();

                        if (realpass != PasswordLogTxt.Text)
                        {
                            Response.Write("<span style='color:red'>A Wrong Username of Password has been entered.</span>");
                        }
                        else
                        {
                            Session["New"] = UsernameLogTxt.Text;
                            Response.Redirect("/Game.aspx");
                        }
                    }

                    if (!reader.HasRows)
                    {
                        Response.Write("No such username exists.");
                    }
                }
                connection.Close();
            }

        }
        catch (SqlException ex)
        {
            Response.Write( ex.Message);
        }
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        Response.Redirect("Register.aspx");
    }
  }      
}
Improve this question
1
  • Although probably not important for this question: when asking SQL questions always add the tag corresponding to your DBMS (postgresql, oracle, sql-server, ...). SQL is a query language, not a DBMS product. Commented Mar 6, 2014 at 19:53

2 Answers 2

Reset to default
2

This isn't a valid SQL query:

"pword from data Username=@username"

Maybe you copied/pasted part of a query when you meant to copy/paste the whole thing? It doesn't even look like a valid part of a query, though.

The error is telling you that the problem is at keyword from because that's the first thing it encounters after the error. For SQL errors, always look at the very last thing that was parsed before the location of the error, that last thing is what caused it. In this case the keyword pword caused it, since that's not a valid keyword or identifier in SQL and the query parser couldn't make sense of it.

Side note: All too often on Stack Overflow we have to lecture developers, new and experienced alike, for SQL injection vulnerabilities. This is a rare chance where I get to personally commend you for taking the initiative to use parameterized queries despite your relatively new experience level. I'm genuinely impressed, please keep up the good work!

Another side note: Though, you are also storing passwords in plain text, which is a very very bad thing. It's better to hash the password and store the hash. Then when a user enters a password, hash what they enter and compare it against the stored hash. Once you get this working, I hope you address that as well :)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Yeah pretty much this - pasting sort of notes, rather than full syntax. Thank you!
@user2974706: Please see my update as well. While your code has a mistake, it also has a very good thing that I hope you continue to use :)
our lecturer really drilled it into us . The importance has stuck :) thank you!
@user2974706: I just made another update, and one you can bring back to your lecturer to drill into him, because he needs to remember it :)
1

Your SQL needs to be: SELECT pword FROM data WHERE Username=@username.

The capitalization of the keywords (SELECT, FROM, WHERE) doesn't matter.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.