CODEWITHSUNDEEP
c#asp.netdatabaseoracle-database
Guido
Guido

Reputation: 1171

C# Oracle table issue

I've got a problem with my ASP.NET application when I'm trying to log in a user. The issue is that when I'm trying to run the query, an exception gets thrown which says the tale name is invalid. It's because the table is called USER, which is a part of SQL.

I'm not in a position where I can change the table name.

        public bool LoginUser(string username, string password)
    { 
        //Database Connectie maken
        DBConnectionOpen();

        string query = @"SELECT NICKNAME, PASSWORD FROM " + "'USER'" + "WHERE NICKNAME = '" + username + "'";
        bool result = false;

        try
        {
            OracleCommand command = new OracleCommand(query, conn);
            OracleDataReader reader = command.ExecuteReader();
            Console.WriteLine("*Query Uitvoeren*");
            reader.Read();

            if (username + password == reader.GetString(0) + reader.GetString(1))
            {
                result = true;
            }
        }

        catch (Exception ex)
        {
            throw ex;
        }

        finally
        {
            conn.Close();
        }

        return result;    


    }

Upvotes: 3

Views: 373

Answers (4)

Guido
Guido

Reputation: 1171

Thanks for all the response, but I finally figured it out.

What the query should have been:

        string query = @"SELECT NICKNAME, ""PASSWORD"" FROM ""USER"" WHERE NICKNAME = '" + username + "'";

Upvotes: 1

tbone
tbone

Reputation: 15473

Whomever named the table "USER" should have db privs removed, but I think you just need to add double quotes around the table name:

select * from "USER" where ...

Note that its case sensitive when you add the double quotes, so if the table is named User you'd need "User" instead of "USER"

Upvotes: 1

Alexander Bell
Alexander Bell

Reputation: 7918

Try to correct your SQL statement like the following:

string query = "SELECT NICKNAME, PASSWORD FROM [USER] WHERE NICKNAME = '" + username + "'";

Also, if you are using SQL reserved word (e.g. DATE) as a Column name, then enclose it in angular brackets (like [DATE]) in your SQL statement.

Hope this may help.

Upvotes: 0

Dacker
Dacker

Reputation: 892

You are querying on the string value 'USER'. You should use

string query = @"SELECT NICKNAME, PASSWORD FROM [USER] WHERE NICKNAME = '" + username + "'";

This will query on the table called USER. In SQL normally you use brackets to indicate you are querying on an object if what you mean can be ambiguous.

The concatenation of the table name as a string is unnecessary so I left it out. If you change it to a variable it can be useful.

In addition instead of concatenating username maybe you should also use alternative for Oracle what is called SqlParameter for SQL Server, to avoid SQL injection.

Upvotes: 0

Related Questions