1 
myCommand.CommandText = "SELECT 'USED' FROM `KEYS` WHERE `KEYS`.`KEY` = '" + TextBox1.Text + "'"

Dim myReader As MySqlDataReader
            myReader = myCommand.ExecuteReader
            While (myReader.Read())
                MessageBox.Show(myReader.GetString(0))
            End While

The returning string is "USED". But that is wrong: it should be returning integer 0 instead. Why is that?

Edit: I changed the MessageBox line to MessageBox.Show(myReader.GetInt16(0)) but now it sends me an error telling me that the input string is not in the right format..

Improve this question
2
  • 1
    You have a SQL injection vulnerability. Commented Dec 30, 2011 at 17:39
  • @SLaks: Ah, you are very right. I am quite new to this.. I will take a look about that soon. Thank you. Commented Dec 30, 2011 at 17:44

5 Answers 5

Reset to default
4

You need backtick, not apostrophe ` not '

You're actually selecting the string "USED" rather than the column. You could just remove the apostrophes all together and say

myCommand.CommandText = "SELECT USED FROM `KEYS` WHERE `KEYS`.`KEY` = '" + TextBox1.Text + "'"

Also as a note, don't use dynamic SQL--used prepared queries:

myCommand.CommandText = "SELECT USED FROM KEYS WHERE KEYS.KEY = @Key";
myCommand.Parameters.AddWithValue("@Key", TextBox1.Text);

Otherwise you're very susceptible to SQL injection (which is a very bad thing).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks a lot! What does the Pameters.AddWithValue method do exactly though?
It adds a parameter of a given name, in this case @Key, with the value passed, in this case TextBox1.Text to the query. When the query executes, it safely inserts that value where you've put the name of that parameter in the command text, so that you don't have to worry about somebody executing SQL code on your app without your permission.
1

You are using the wrong quotes; you need to use ` as so:

myCommand.CommandText = "SELECT `USED` FROM `KEYS` WHERE `KEYS`.`KEY` = '" + TextBox1.Text + "'"
Improve this answer

Comments

1

Remove the 'USED' and write used instead.

Improve this answer

Comments

1

single quoted around the name 'USED' tell it to return the word 'USED' in an unnamed column.

Improve this answer

Comments

0

Change here

"SELECT `USED` FROM `KEYS` WHERE `KEYS`.`KEY` = '" + TextBox1.Text + "'"

You need to insert backticks and not single quotes.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.