stackoom
  简体   繁体   中英

“invalid column name” error when retrieving data from SQL database?

 原文  2015-10-18 18:41:48       c#/ sql/ database/ data-retrieval

Question

I have a database with 3 columns on it: FIRST_NAME, LAST_NAME, and IMAGE. I always get the error "invalid column name 'the name from the first column'." I am supposed to write the first name and click a button to show the last name and the image. I am using C#, this is my current code: 

        private void button_show_Click(object sender, EventArgs e)
    {
        try
        {
            string sql = "select LAST_NAME,IMAGE from Table_1 where FIRST_NAME=" + this.firstname_textbox.Text + "";
            if (conn.State != ConnectionState.Open)
                conn.Open();
            command = new SqlCommand(sql, conn);
            SqlDataReader reader = command.ExecuteReader();
            reader.Read();
            if (reader.HasRows)
            {
                lastname_textbox.Text = reader[0].ToString();
                byte[] img = (byte[])(reader[1]);
                if (img == null)
                pictureBox1.Image = null;
                else
                {
                    MemoryStream ms = new MemoryStream(img);
                    pictureBox1.Image = Image.FromStream(ms);
                }

            }
            else
            {
                MessageBox.Show("This Name Does Not Exist");
            }
            conn.Close();
        }
        catch(Exception ex)
        {
            conn.Close();
            MessageBox.Show(ex.Message);
        }
    }
}

Thanks.

1 answers

solution1
 2 ACCPTED  2015-10-18 18:44:26

You have an unquoted string in your WHERE clause. 

string sql = "select LAST_NAME,IMAGE from Table_1 where FIRST_NAME=" + this.firstname_textbox.Text + "";

should be: 

string sql = "select LAST_NAME,IMAGE from Table_1 where FIRST_NAME='" + this.firstname_textbox.Text + "'";

You should also know that using string concatenation for SQL query parameters is bad practice as it creates a SQL Injection vulnerability. For example, imagine the result if this.firstname_textbox.Text was: 

';DELETE FROM Table_1 WHERE '1' = '1

This would result in the variable "sql" being this: 

select LAST_NAME,IMAGE from Table_1 where FIRST_NAME='';DELETE FROM Table_1 WHERE '1' = '1'

To avoid this problem, use parameterized queries ( https://msdn.microsoft.com/en-us/library/vstudio/bb738521%28v=vs.100%29.aspx )

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Retrieving a record from database getting error as “Invalid column Name” in SQL? Invalid column name 'Math' - retrieving data from database “Invalid column name” when trying to insert data into database using SQL Retrieving a Row from a table causes invalid column name error Invalid column name when inserting a row to sql database Invalid column name sql error Invalid column name error when Saving Selected Text From Drop Down Box into Database Invalid column name error from SQL generated by EF Error when retrieving data from database (ado.net) LINQ Error Invalid Column when retrieving additional column value
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM