asp.net - VB.NET/ SQL Server 2012 - Invalid column name -
when pressing 'register' button, visual studio 2012 giving me error in sql statement
sqlvalidate = "select * users username=" + txtusername.text.tostring the error being:
invalid column name 'cdarwin'
where 'cdarwin' username entered in txtusername.
can tell me whats wrong?
this full code sub:
public sub register() dim username string = txtusername.text dim surname string = txtsurname.text dim password string = txtpassword.text dim name string = txtname.text dim address1 string = txtaddress1.text dim address2 string = txtaddress2.text dim city string = txtcity.text dim email string = txtemail.text dim country string = drpcountry.text dim dob date = caldob.selecteddate dim occupation string = txtoccupation.text dim worklocation string = txtworklocation.text dim age integer = date.today.year - caldob.selecteddate.year dim projectmanager string = "n/a" dim teamleader string = "n/a" dim teamleaderid integer = "1" dim projectmanagerid integer = "1" dim registrationdate date = datetime.today dim contracttype string = "n/a" dim contractduration integer = 6 dim department string = "n/a" dim conn new sqlconnection("data source=brian-pc\sqlexpress;initial catalog=master_db;integrated security=true") dim registersql sqlcommand dim sqlcomm string dim validatesql sqlcommand dim sqlvalidate string sqlvalidate = "select * users username=" + txtusername.text.tostring sqlcomm = "insert users(username, password, name, surname, address1, address2, " + "city, country, date_of_birth, age, occupation, department, work_location, " + "project_manager,team_leader, team_leader_id, project_manager_id, " + "date_registration, contract_type, contract_duration) " + "values(@p1, @p2,@p3,@p4,@p5,@p6,@p7,@p8,@p9,@p10,@p11,@p12,@p13,@p14,@p15," + "@p16,@p17,@p18,@p19,@p20)" conn.open() validatesql = new sqlcommand(sqlvalidate, conn) dim dr sqldatareader = validatesql.executereader() if dr.hasrows = false dr.close() registersql = new sqlcommand(sqlcomm, conn) registersql.parameters.addwithvalue("@p1", username) registersql.parameters.addwithvalue("@p2", password) registersql.parameters.addwithvalue("@p3", name) registersql.parameters.addwithvalue("@p4", surname) registersql.parameters.addwithvalue("@p5", address1) registersql.parameters.addwithvalue("@p6", address2) registersql.parameters.addwithvalue("@p7", city) registersql.parameters.addwithvalue("@p8", country) registersql.parameters.addwithvalue("@p9", dob) registersql.parameters.addwithvalue("@p10", age) registersql.parameters.addwithvalue("@p11", occupation) registersql.parameters.addwithvalue("@p12", department) registersql.parameters.addwithvalue("@p13", worklocation) registersql.parameters.addwithvalue("@p14", projectmanager) registersql.parameters.addwithvalue("@p15", teamleader) registersql.parameters.addwithvalue("@p16", teamleaderid) registersql.parameters.addwithvalue("@p17", projectmanagerid) registersql.parameters.addwithvalue("@p18", registrationdate) registersql.parameters.addwithvalue("@p19", contracttype) registersql.parameters.addwithvalue("@p20", contractduration) registersql.executenonquery() conn.close() elseif dr.hasrows = true lblusername.text = "that username (" + txtusername.text + ") registered/taken." lblusername.visible = true conn.close() end if end sub
with exception of not using parameterized queries (vulnerable sql injection), need quotes around string:
sqlvalidate = "select * users username='" + txtusername.text.tostring + "'" without quotes, sql server trying interpret "cdarwin" column name.
here mockup of using parameterized queries:
sqlvalidate = "select * users username=@user" ... validatesql.parameters.addwithvalue("@user", txtusername.text)
Comments
Post a Comment