C
C#3mo ago
Xantres

MySql Syntax error

I am creating a method that will take in an object with properties that have data that is needed for the DB Update. I am getting an error that is included in a screen shot. Here is my code: 
C#
public static void UpdateCustomerName(Customer customer)
{
  string updateName = $"UPDATE client_schedule.customer SET customerName = '{customer.CustomerName}'" +
      $"WHERE customerId = {customer.CustomerID}";
  
  DBConnect.StartConnection(); // Starts the connection
  
  try
  {
    using (DBConnect.Conn)
      using (MySqlCommand cmd = new MySqlCommand(updateName, DBConnect.Conn))
      {
        cmd.ExecuteNonQuery();
      }
    }
  }
  catch (MySqlException ex) 
  {
    DBConnect.StopConnection();
    
    MessageBox.Show(ex.Message);
  }

  DBConnect.StopConnection();
}
C#
public static void UpdateCustomerName(Customer customer)
{
  string updateName = $"UPDATE client_schedule.customer SET customerName = '{customer.CustomerName}'" +
      $"WHERE customerId = {customer.CustomerID}";
  
  DBConnect.StartConnection(); // Starts the connection
  
  try
  {
    using (DBConnect.Conn)
      using (MySqlCommand cmd = new MySqlCommand(updateName, DBConnect.Conn))
      {
        cmd.ExecuteNonQuery();
      }
    }
  }
  catch (MySqlException ex) 
  {
    DBConnect.StopConnection();
    
    MessageBox.Show(ex.Message);
  }

  DBConnect.StopConnection();
}
No description
14 Replies
Jimmacle
Jimmacle3mo ago
i can see it, but print out the string and see if you can find it also, you should absolutely not be using string concatenation to build SQL queries like this you're making your application vulnerable to SQL injection use parameterized queries instead
Xantres
Xantres3mo ago
is that when you use the @ symbol?
Jimmacle
Jimmacle3mo ago
yes it stops someone from trying to change their name to, for example, ';-- and wiping out all the names in your database or generally executing any SQL query they want to
Xantres
Xantres3mo ago
I have printed it out and have reviewed the MySql manual, but am not seeing a difference, can you point out where my mistake is other then the vulnerable code?
Jimmacle
Jimmacle3mo ago
you're missing a space between the end quote of the customer name and the WHERE
Xantres
Xantres3mo ago
So you need a space after the end of the Where clause?
Jimmacle
Jimmacle3mo ago
try it and see and read what i said more closely
Xantres
Xantres3mo ago
So with parameterized queries, if I have an object as a perameter, I could do something like "@customer.CustomerID" or do I need to break out the object perameters into separate variables before using them in the string?
Jimmacle
Jimmacle3mo ago
you would not reference C# variables directly in the query the SQL parameters are placeholders, then you write additional code to add values for those placeholders https://visualstudiomagazine.com/articles/2017/07/01/parameterized-queries.aspx
Xantres
Xantres3mo ago
thanks!
Jimmacle
Jimmacle3mo ago
this separates the actual command you want to execute and the data the command needs which makes it impossible for the data to change the command that's executed
Xantres
Xantres3mo ago
so I changed out my original string with this: 
C#
  string updateName = @"UPDATE client_schedule.customer SET customerName = '@customer.CustomerName' WHERE customerId = @customer.CustomerID ";
C#
  string updateName = @"UPDATE client_schedule.customer SET customerName = '@customer.CustomerName' WHERE customerId = @customer.CustomerID ";
and I got a fatal error during execution I apologize for my apparent ignorance, I am currently in school learning C#
Jimmacle
Jimmacle3mo ago
if that's all you changed then you're missing steps, read the article i linked
Xantres
Xantres3mo ago
Thank you for your time @Jimmacle, I appreciate the direction you provided.
Want results from more Discord servers?
Add your server
More Posts
how do i check if a string contains only words and spaceive got an if statement that needs to check if a string contains only letters or spaces, online i caC# Acces Databaseq query problemWhen I query the Access Database in C#, it gives an error with the "Like" command.✅ Anybody using PostSharp/Metalama?Before source generators and MVVM toolkit were around, I was looking for ways to simplify my mvvm deMutex? ASP Core - Only Allowing a Method to Be Run One at a TimeI have a scenario where I want all requests to an endpoint to have the ability to only be run one at✅ Help with xmlserializationHi, so I've installed this library called SpeedTestSharp to run a Internet Speed Test through my appUnity 3D enemy AI tutorial not working as advertisedHello, I am working on a game for my game dev and design class and I used this tutorial https://m.yo✅ Executing bash script in docker container with Docket.DotNet in ASP.NET websiteSo i need to run some script in docker container and the container crashes instantly and logs are: `✅ Need help in reading data from Serial PortI want to read data from the serial port and display it on the console. I tried `using System.IO.PorInvalid signatureHi, while working on code to access remotely some files, I got this error : Invalid Signature. at Any suggenstion how to implement shopping cart feature?How can I implement a shopping cart feature in my food delibery application, utilizing Vue.js for th