Incorrect syntax near ',' error in asp.net?

Question

This is my code in Asp.Net and C#. I am trying to figure out this error from 2 hours but unable to find.

Any kind of help is appreciated.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;

public partial class Result : System.Web.UI.Page
{
    SqlConnection con;
    SqlCommand cmd;
    SqlDataReader dr;

    string city1, area1, type1, min, max;
    int id;

    protected void Page_Load(object sender, EventArgs e)
    {
       city1 = Request.QueryString["city"];
       area1 = Request.QueryString["area"];
       // type1 = Request.QueryString["propertytype"];
       type1= "1bhk";
       min = Request.QueryString["minprice"];
       max = Request.QueryString["maxprice"];
       //  id = Convert.ToInt32(Request.QueryString["uid"]);
       id = 1;

       con = new SqlConnection("integrated security=true; database=data1; server=sudhir-pc");
       con.Open();

       cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"', area='"+area1+"', propertytype='"+type1+"', users_id="+id+"", con);
       //  cmd1 = new SqlCommand("select frstname,laststname,contactno from users where users_id='"+id+"'", con);

       dr = cmd.ExecuteReader();

       while (dr.Read())
       {
           Label1.Text = (string)dr["price"];
           string area = (string)dr["area"];
           string image = (string)dr["imagename"];
           int id1 = (int)dr["users_id"];
       }
    }
}

Error line is dr=cmd.executereader();. Same query runs on sql server. can this kind of error be logical?

Answer 1

You can try this :

cmd = new SqlCommand("select price,area,imagename,users_id from property where city=@city and area=@area and propertytype=@proprtytype and users_id=@userid ", con);
cmd.Parameters.AddWithValue("@city", city1);
cmd.Parameters.AddWithValue("@area", area1);
cmd.Parameters.AddWithValue("@propertytype", type1);
cmd.Parameters.AddWithValue("@userid", id);

   //  cmd1 = new SqlCommand("select frstname,laststname,contactno from users where users_id='"+id+"'", con);

   dr = cmd.ExecuteReader();

Answer 2

You have to use and after where condition not comma's

You are in SQL Injection attack..Always use paremeterized queries

cmd = new SqlCommand("select price,area,imagename,users_id from property where 
                       city=@city1 and area=@area1 and 
                       propertytype=@type1 and users_id=@id", con);
cmd.Parameters.AddWithValue("@city1",city1);
cmd.Parameters.AddWithValue("@area1",area1);
cmd.Parameters.AddWithValue("@type1",type1);
cmd.Parameters.AddWithValue("@id",id);
dr = cmd.ExecuteReader();

Answer 3

replace your comma's with and in your command.So,

cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"', area='"+area1+"', propertytype='"+type1+"', users_id="+id+"", con);

would become

cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"' and area='"+area1+"' and propertytype='"+type1+"' and users_id="+id+"", con);

A part from that, this is not the way how you should be doing it. You should always use Paremeterized queries. You can read the pros of that here and here.