fadilla 'atyka fadilla 'atyka - 4 months ago 39
ASP.NET (C#) Question

Syntax error : System.Data.SqlClient.SqlException: Incorrect syntax near '='

I received this server error and I can't figure out where the trouble is:


Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect
syntax near '='.


My Code is here :

public partial class v2_kradescription : System.Web.UI.Page
{
SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["ConnectionString"].ToString());

protected void Page_Load(object sender, EventArgs e)
{
try
{
// icnoA for appraisee icno


string role = "";

string kr_icno = (string)(Session["s_icno"]);
string kr_position = (string)(Session["kr_position"]);
string kr_description = (string)(Session["kr_description"]);

Session["role"] = role;

if (role == "KRA")
{
kr_icno = (string)(Session["s_icno"]);
kr_position = (string)(Session["kr_position"]);
kr_description = (string)(Session["kr_description"]);
}
conn.Open();
SqlDataSource1.SelectCommand = "SELECT kr_id, kr_position, kr_description FROM tblKRAObjectiveWHERE kr_icno = " + s_icno;
conn.Close();
}

catch (Exception ex)
{
lblMsg.Text = ex.Message; //" Error while saving the record.";
}
//conn.Open();
//string icno = (string)(Session["s_icno"]);
//SqlDataSource1.SelectCommand = "SELECT kr_id, kr_position, kr_description FROM tblKRAObjective WHERE kr_icno = " + icno;

//conn.Close();

}

protected void GridView1_OnRowDataBound(object sender, GridViewRowEventArgs e)
{
string kr_id = Request.QueryString["kr_id"];

string id = "";

if (e.Row.RowType == DataControlRowType.DataRow)
{
id = GridView1.DataKeys[e.Row.RowIndex].Values[0].ToString();
}
Label lblposition = (Label)e.Row.FindControl("lblposition");
Label lbldescription = (Label)e.Row.FindControl("lbldescription");

if(e.Row.DataItem != null)
{
conn.Open();

String queryA = "SELECT kr_id, kr_position, kr_description FROM tblKRAObjective WHERE kr_icno = " + s_icno;
SqlCommand cmdA = new SqlCommand(queryA, conn);
SqlDataReader drA = cmdA.ExecuteReader();

if (drA.Read())
{
lblposition.Text = drA["kr_position"].ToString();
lbldescription.Text = drA["kr_description"].ToString();
}
drA.Close();
}
}

protected void GridView1_OnRowEdited(object sender, GridViewEditEventArgs e)
{
GridView1.EditIndex = e.NewEditIndex;
}

protected void GridView1_RowCancelingEdit(object sender, GridViewCancelEditEventArgs e)
{
GridView1.Focus();
}

protected void GridView1_OnRowUpdated(object sender, GridViewUpdateEventArgs e)
{
Response.Redirect("kra_description.aspx?Sucess");
}

protected void OnPaging(object sender, GridViewPageEventArgs e)
{
GridView1.PageIndex = e.NewPageIndex;
}

protected void btnPreview_Click(object sender, EventArgs e)
{
Response.Redirect("kra_pdf.aspx");
}

protected void btnSubmit_Click(object sender, EventArgs e)
{
if (Page.IsValid)
{

string kricno = (string)(Session["s_icno"]);
string krid = (string)(Session["kr_id"]);
string krdescription = (string)(Session["kr_description"]);
string krposition = (string)(Session["kr_position"]); ;

try
{

// get requester name, companyid, primary appraiser of requester

String queryA = "SELECT kr_id, kr_description, kr_position FROM tblKRAObjective WHERE s_icno = '"+kricno;
SqlCommand cmdA = new SqlCommand(queryA);
SqlDataReader drA = cmdA.ExecuteReader();

if (drA.Read())
{
krid = drA["kr_id"].ToString();
kricno = drA["kr_icno"].ToString();
krdescription = drA["kr_description"].ToString();
krposition = drA["kr_position"].ToString();
}
drA.Close();

SqlCommand cmd1 = new SqlCommand();
cmd1.CommandType = CommandType.StoredProcedure;

cmd1.Parameters.Add("@kr_id", SqlDbType.NVarChar).Value = krid.ToString();
cmd1.Parameters.Add("@kr_descpription", SqlDbType.NVarChar).Value = krdescription.ToString();
cmd1.Parameters.Add("@kr_position", SqlDbType.NVarChar).Value = krposition.ToString();
cmd1.Parameters.Add("@kr_icno", SqlDbType.NVarChar).Value = kricno.ToString();

cmd1.ExecuteNonQuery();


}
catch (Exception ex)
{
lblMsg.Text = ex.Message; //" Error while saving the record.";
}
Response.Redirect("kra_dashboard.aspx");
}
}


protected void btnAddNew_Click(object sender, EventArgs e)
{

}
}

Answer

In this line you are missing a space between the table name and the Where

SqlDataSource1.SelectCommand = "SELECT kr_id, kr_position, kr_description FROM tblKRAObjectiveWHERE kr_icno = " + s_icno;

Try this:

"SELECT kr_id, kr_position, kr_description FROM tblKRAObjective WHERE kr_icno = '" + s_icno + "'";

And in order to avoid Sql Injections use Parameterized queries