0

Im trying to select a row in mysql database using a textbox's text. However when I use the following code I get an error.

        MySqlCommand command = connection.CreateCommand(); //we create a command
        command.CommandText = "SELECT * FROM info where id=" + textBox1.Text ;  //in commandtext, we write the Query
        MySqlDataReader reader = command.ExecuteReader();  //execute the SELECT command, which returns the data into the reader

        while (reader.Read())  //while there is data to read
        {
            MessageBox.Show(reader["info"].ToString());
        }

It works fine with letters but when I try to use a question mark or anything like that i get the following error:

"Parameter '?' must be defined."

Improve this question
5
  • 1
    can you post the exception?? Commented Apr 16, 2014 at 10:28
  • MySql.Data.MySqlClient.MySqlException was unhandled HResult=-2147467259 Message=Parameter '?' must be defined. Source=MySql.Data ErrorCode=-2147467259 Commented Apr 16, 2014 at 10:30
  • With the current condition, your code is vulnerable to sql injection attacks. I urge you to consider using parameters as given in the answers below. Commented Apr 16, 2014 at 10:44
  • Hold up, what or where are you putting this '?' ? And WHY do you have it? Commented Apr 16, 2014 at 11:16
  • Im putting this ? in my textbox, I have it because I need to grab data from a columm that has a ? in it. Commented Apr 16, 2014 at 11:20

2 Answers 2

Reset to default
1

instead of 

command.CommandText = "SELECT * FROM info where id=" + textBox1.Text ;

Use this

command.CommandText = "SELECT * FROM info where id=@id";
command.Parameters.AddWithValue("@id",textBox1.Text);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Always best practice.
0

you better use parameters in this case 

command.CommandText = "SELECT * FROM info where id=@id";

then you need to set the parameter value 

command.Parameters.AddWithValue(@id, textBox1.Text);

full code: 

   string queryString="SELECT * FROM info where id=@id";
   using (MySqlConnection connection = new MySqlConnection(connectionString))
   using (MySqlCommand command = new MySqlCommand(queryString, connection))
   {
        connection.Open();
        command.Parameters.AddWithValue("@id", textBox1.Text);
        using (MySqlDataReader reader = command.ExecuteReader())
        {
            while (reader.Read())
            {
                // do something ...
            }
        }
    }

update :

change your parameter value setting line as below 

 command.Parameters.AddWithValue("@id", textBox1.Text);
Improve this answer

5 Comments

I can't seem to get it working how would I add your code into my existing? Here is my code I have at the moment: pastebin.com/raw.php?i=k87zcCn9
@user3540727 you need to set parameter value as command.Parameters.AddWithValue("@id", textBox1.Text);
When I do this nothing gets returned from the database.
do you have column nameed 'id' in your info table? what is the column data type?
Yes I do, although I changed where id= to where string=, because I renamed id to string. The data type is TEXT. The info column Is also TEXT.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.