CODEWITHSUNDEEP
c#sqlodacoraclecommand
msytNadeem
msytNadeem

Reputation: 173

Odac ORA-00911: invalid character

I am writing a C# code that connects to ODAC. I think my query got no errors, but I get this error, I don't know how to solve.

This is my query

comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + 
                   "' AND APPID = '" + app_id + "' ;";

Can any one figure out what is wrong in here?

Upvotes: 2

Views: 1825

Answers (2)

Yahia
Yahia

Reputation: 70369

Your query is vulnerable for a security issue called SQL injection!

You should NEVER use string concatenation for building a query from strings (some SQL, some parameters)... Use always parameterized queries...

Sample code:

comm.BindByName = true;
comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = :login_id AND APPID = :app_id";
comm.Parameters.AddWithValue ("login_id", login_id);
comm.Parameters.AddWithValue ("app_id", app_id);

Upvotes: 4

Soner Gönül
Soner Gönül

Reputation: 98750

Why there is a ; in your sql command? Try this;

comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + "' AND APPID = '" + app_id "';

By the way, you should always use parameterized queries. This clearly open for an sql injection. For your query, use like this;

string commandText = "SELECT * FROM ZAEDBA WHERE USER_ID = @login_id " + AND
        + "WHERE APPID  = @app_id;";

command.Parameters.Add("@login_id", SqlDbType.Int);
command.Parameters["@login_id"].Value = login_id;

command.Parameters.Add("@app_id", SqlDbType.Int);
command.Parameters["@app_id"].Value = app_id;

Upvotes: 1

Related Questions