kuldeep singh kuldeep singh - 11 months ago 65
ASP.NET (C#) Question

Asp.net Special Character in dropdownlist box giving error

I am populating dropdown list box from data base. In datbase there are some special charter(Soft's, --manage etc) in data. When i am clicking on show button to view the record based on selected value it is giving the following error..

Server Error in '/' Application.
Incorrect syntax near 's'.
Unclosed quotation mark after the character string ' '.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near 's'.
Unclosed quotation mark after the character string ' '.

Source Error:
Line 208: SqlDataAdapter da = new SqlDataAdapter(cmd);
Line 209: DataSet ds = new DataSet();
Line 210: da.Fill(ds);
Line 211: gvUsrEdit.DataSource = ds;
Line 212: gvUsrEdit.DataBind();

Any help please.

Answer Source

Try to send the parameter like this

protected void btnShow_Click(object sender, EventArgs e)
string d1 = ddlEmpName.Text;
string d2 = ddlQuater.Text;
string d3 = ddlyear.Text;
string d4 = ddlKRA.Text;
string strquery = "select * from  btaprs2 where vEmpID=@d1 and vQuarter=@d2 and vyear1=@d3 and tKRA=@d4 and v10='Active' ";

if (con.State != ConnectionState.Closed)

SqlCommand cmd = new SqlCommand(strquery, con);
cmd.Parameters.AddWithValue("@d1", d1);
cmd.Parameters.AddWithValue("@d2", d2);
cmd.Parameters.AddWithValue("@d3", d3);
cmd.Parameters.AddWithValue("@d4", d4);     
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
gvUsrEdit.DataSource = ds;

You should always use parameters in your query - NEVER concatenate together your SQL statements .

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks