Incorrect syntax near ' '

Question

This is the page behind code where it have error

if (Session["username"] != null)
   {


        SqlConnection con = new SqlConnection();
        con.ConnectionString = ConfigurationManager.ConnectionStrings["registerCS"].ConnectionString;

       string sql1 = "Select pemgrp from Profile where userID = '" + Session["username"].ToString() + "'";
      string sql = "Select studname from Profile where pemgrp = '" + sql1 + "'";

        SqlCommand cmd = new SqlCommand();
        SqlDataReader dr;

        DataTable dt = new DataTable();

        cmd.CommandText = sql;
        cmd.Connection = con;

        //open connection and execute command
        con.Open();
        dr = cmd.ExecuteReader();

        if (dr.Read())
        {
        lb_classmates.Text = dr[0].ToString();

        }
    }

However, when i run, it give me this error : Incorrect syntax near the keyword 'where'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near the keyword 'where'.

Answer 1

As you are using sub-query therefore this

string sql = "Select studname from Profile where pemgrp = '" + sql1 + "'";

should be

string sql = "Select studname from Profile where pemgrp in (" + sql1+ ")";

and you should be using Parametereized queries to avoid SQL injection .

Answer 2

I think It should be

string sql = "Select studname from Profile where pemgrp in (" + sql1+ ")";

instead of

string sql = "Select studname from Profile where pemgrp = '" + sql1 + "'";

I would strongly recommend you to use parametereized queries

Answer 3

You should use parameterized query something llike this

string sql = "Select studname from Profile where pemgrp = @p1";

and to pass parameter

command.Parameters.AddWithValue("@p1",sql1);

Answer 4

No One's answer is of course right.

If you want to use a subquery in a query, you should use IN (Transact-SQL)

Determines whether a specified value matches any value in a subquery or a list.

test_expression [ NOT ] IN 
( subquery | expression [ ,...n ]
) 

Also you should always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks.

Also consider to use using to dispose your SqlConnection .

using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["registerCS"].ConnectionString))
{
    connection.Open();
    string sql1 = "Select pemgrp from Profile where userID = @username";
    string sql = "Select studname from Profile where pemgrp IN (" + sql1 + ")";
    SqlCommand command = new SqlCommand(sql, connection);
    command.Parameters.AddWithValue("@username", Session["username"].ToString());
    SqlDataReader reader = command.ExecuteReader();
    while (reader.Read())
    {
        //
    }
}