My query only shows the Integer, I make a query of type String and it marks me error

Question

My query only shows the Integer, I make a query of type String and it marks me error

Navigation

#1 by (1 votes)

1

How to display a string search in Windows Phone 8.1? This is the code I have, with this code it only shows me the type integer .

      private async void Btn_buscarUsuario(object sender, RoutedEventArgs 
      {

        var existing = Db_Helper.SearchUserCode(txtcodigo.Text);

        if (existing != null)
        {
            txtcodigo.Text = existing.Code;
            txtusuario.Text = existing.User;
            txtcontrasena.Text = existing.Contrasena;
            CboStatus.SelectedValue = existing.Status;
            txtemail.Text = existing.Email;

        }

This is the query I have:

      public Usuarios SearchUserCode( string Usercode)
      {
        using ( var dbConn = new SQLiteConnection(App.DB_PATH))
        {
             var existingCodeUser = dbConn.Query<Usuarios>("select * from  Usuarios where Code=" + Usercode).FirstOrDefault();
            return existingCodeUser; 
        }
       }

windows-phone

asked by Sofia 29.11.2016 в 00:14

source

1 answer

Compatibility of api 22 with api 19 how to pass variable from nodejs (Expressjs) to javascript (client side)

score 1 · Answer 1

What is happening is that when you pass the value of the search to the SQL statement, you do not place it as a string of characters (enclosed in single quotes), nor as a parameter (which is advisable).

The easy solution for your problem is simply to enclose it in quotation marks, for example:

      public Usuarios SearchUserCode( string Usercode)
      {
        using ( var dbConn = new SQLiteConnection(App.DB_PATH))
        {
             var existingCodeUser = dbConn.Query<Usuarios>("select * from  Usuarios where Code ='" + Usercode + "'").FirstOrDefault();
            return existingCodeUser; 
        }
       }

With this, the error that you are seeing now will disappear, but your application will be vulnerable to SQL injection .

My recommendation is that instead of embedding the value within the SQL statement, use a parameterized query, you can base yourself on this example to adapt your classes / code to the idea:

SQLiteCommand command = conn.CreateCommand();
command.CommandText = "select * from Tabla where Campo = @ValorBuscar";
command.Parameters.Add(new SQLiteParameter("@ValorBuscar", elPeligrosoDatoDelUsuario));

You will find more reasons to use parameterized queries in this answer from OS in English.