Error when trying to connect a web service with a database

1
votes

I get this error(s):

error CS1502: The best overloaded method match for 'System.Data.SqlClient.SqlConnection.SqlConnection(string, System.Data.SqlClient.SqlCredential)' has some invalid arguments

error CS1503: Argument 2 : cannot convert from 'System.Data.SqlClient.SqlConnection' to 'System.Web.WebPages.HelperResult'

This is my code:

public string NumeroFactura(string NoDeFactura)
{
        string DtsConnection = "ITLIGENCIA-POS\\SQLEXPRESS; Initial Catalog = SSOLINVBASESQL; Trusted_Connection = Yes";
        SqlConnection Con = new SqlConnection(DtsConnection);
        Con.Open();

        SqlDataAdapter CMD = new SqlConnection("select * from INVE_FACTURAS_PRODUCTOS_ENC where NFACTURA='"+ NoDeFactura+ "'",Con);
        DataSet DS = new DataSet();
        CMD.Fill(DS, "DATOS");

        DataTable TableNFACTURA = DS.Tables[0];
        string NFACTURA = TableNFACTURA.Rows[0]["NFACTURA"].ToString();

        return "El nĂºmero de factura es" + NFACTURA;
}
2
c#sql-serverasp.net-mvcasp.net-mvc-4razor
Think about what would happen if a malicious user can input some text into NoDeFactura and they put in blah'; DROP TABLE INVE_FACTURAS_PRODUCTOS_ENC;-- - Eric J.
Just a thought: it's common practice in C# not to capitalize the names of local variables or method parameters. When you use title case (such as "DtsConnection") it looks like a class name or method name, and when you use all uppercase (such as "NFACTURA"), it looks like the name of a constant. Using camel case ("dtsConnection", "con", "cmd", etc.) will make your code more readable. - jason44107

2 Answers

1
votes

SqlDataAdapter CMD = new SqlConnection(...

should be

SqlDataAdapter CMD = new SqlDataAdapter(...

Also, look up "SQL injection" and "parameterized queries", you're doing something pretty dangerous.

While I'm at it, using select * (and SqlDataAdapter for that matter) to retrieve one row and one column isn't terribly efficient. And you're assuming that you will get a row back; if NoDeFactura doesn't exist in the database, TableNFACTURA.Rows[0]["NFACTURA"].ToString() will throw a null reference exception.

0
votes

You are missing Data Source or Server key. Your connection string should look like

Server=ITLIGENCIA-POS\\SQLEXPRESS; Initial Catalog = SSOLINVBASESQL; Trusted_Connection = Yes