Error doing a Select in Mysql from C #

Navigation
0
public string Usuario
{
    get { return usuario; }
    set { usuario = value; }
}
public string Clave
{
    get { return clave; }
    set { clave = value; }
}

public string Tipo
{
    get { return tipo; }
    set { tipo = value; }
}

MySqlCommand comando = new MySqlCommand("SELECT * FROM lgn WHERE CARGO='" + tipo + "'and USUARIO='" + usuario + "'and PASS='" + clave, CONEXION.ObtenerConexion());

The error that appears to me is the following: 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ''6Ol/iZcnHemlteHtFuoxsA==' at line 1
    
asked by Julio Martinez 21.08.2017 в 21:30
source

3 answers

6

You need to close the ' after the password: 

MySqlCommand comando = new MySqlCommand("SELECT * FROM lgn WHERE CARGO='" + tipo + "'and USUARIO='" + usuario + "'and PASS='" + clave + "'", CONEXION.ObtenerConexion());

But outside of this you have a serious problem of SQL Injection that it is a vulnerability that could allow queries and commands that you have not foreseen to run, being able in the worst case to give total access to your database.

Instead of concatenating the variables, create a parameterized query : 

var comando = new MySqlCommand("SELECT * FROM lgn WHERE CARGO = @cargo and USUARIO = @usuario and PASS = @pass");
comando.Parameters.AddWithValue("@cargo", tipo);
comando.Parameters.AddWithValue("@usuario", usuario);
comando.Parameters.AddWithValue("@pass", clave);
    
answered by 21.08.2017 / 21:32
source
1

As the error says, you have a syntax error, in your last variable you need to close the single quote ' . 

MySqlCommand comando = new MySqlCommand("SELECT * FROM lgn WHERE CARGO='" + tipo + "'and USUARIO='" + usuario + "'and PASS='" + clave + "'", CONEXION.ObtenerConexion());
    
answered by 21.08.2017 в 21:32
1
MySqlCommand comando = new MySqlCommand("SELECT * FROM lgn WHERE CARGO='" + tipo + "'and USUARIO='" + usuario + "'and PASS='" + clave + "';", CONEXION.ObtenerConexion());

The quote is missing in the key field.

    
answered by 21.08.2017 в 21:33
How to fill the array in another way? What is the try and catch for? in java