C# Syntax error (missing operator) in query expression

0
votes

I receive this error on cmd.ExecuteNonQuery()... I think I am wrong on cmd.CommandText...

Syntax error (missing operator) in query expression 'Nr_Crt='1' and Varsta '3' and KG '2' and Specie 'Iepure' and Risc'Nu' and Tip1 'Diurn' and Tip2 'Carnivor''.

    private void button2_Click_1(object sender, EventArgs e)
        {
            if (txtNr_Crt.Text != " " & txtVarsta.Text != " " & txtKG.Text != " " & txtSpecie.Text != " " & txtRisc.Text != " " & txtTip1.Text != " " & txtTip1.Text != " " & txtTip2.Text != "")
            {

                cn.Open();
                cmd.CommandText = "DELETE from Animale Where Nr_Crt='" + txtNr_Crt.Text + "' and Varsta '" + txtVarsta.Text + "' and KG '" + txtKG.Text + "' and Specie '" + txtSpecie.Text + "' and Risc'" + txtRisc.Text + "' and Tip1 '" + txtTip1.Text + "' and Tip2 '" + txtTip2.Text + "'";
                cmd.ExecuteNonQuery();
                cn.Close();

                loaddata();

                txtNr_Crt.Text = "";
                txtVarsta.Text = "";
                txtKG.Text = "";
                txtSpecie.Text = "";
                txtSex.Text = "";
                txtRisc.Text = "";
                txtTip1.Text = "";
                txtTip2.Text = "";
            }
        }
3
c#ms-accesssql-deleteoledbexception
Hello SQL injection! And you are missing the = from the rest of the queryDGibbs
Please use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.Soner Gönül

3 Answers

1
votes

You code is vulnerable to SQL injection, i'd fix that.

The issue is that you are missing the = from each of your subsequent and's:

cn.Open();

cmd.Parameters.AddWithValue("@Nr_Crt", txtNr_Crt.Text);  
cmd.Parameters.AddWithValue("@Varsta", txtVarsta.Text);  
cmd.Parameters.AddWithValue("@KG", txtKG.Text);  
cmd.Parameters.AddWithValue("@Specie", txtSpecie.Text);  
cmd.Parameters.AddWithValue("@Risc", txtRisc.Text);  
cmd.Parameters.AddWithValue("@Tip1", txtTip1.Text);  
cmd.Parameters.AddWithValue("@Tip2", txtTip2.Text);  
cmd.CommandText = "DELETE from Animale Where Nr_Crt= @Nr_Crt and Varsta = @Varsta and KG = @KG and Specie = @Specie and Risc = @Risc and Tip1 = @Tip1 and Tip2 = @Tip2";

cmd.ExecuteNonQuery();
cn.Close();

This should fix it (and the SQL injection risk)

0
votes

Your query is wrong. You are missing = when comparing the columns

cmd.CommandText = "DELETE from Animale Where Nr_Crt='" + txtNr_Crt.Text + "' and Varsta='" + txtVarsta.Text + "' and KG='" + txtKG.Text + "' and Specie='" + txtSpecie.Text + "' and Risc='" + txtRisc.Text + "' and Tip1='" + txtTip1.Text + "' and Tip2='" + txtTip2.Text + "'";
0
votes
foreach(Control ctrl in this.Controls)
{
    if (ctrl is TextBox)
    {
      ctrl.text="";
    }
}

For cleaning all textbox at once :) you can create a Method that performs it when you need it