Clever Geek Handbook

Oracle C # table problem

I have a problem with my ASP.NET application when I try to login. The problem is that when I try to run the query, an exception is thrown that says the fairytale name is not valid. This is because the table is called USER, which is part of SQL.

I cannot change the table name.

        public bool LoginUser(string username, string password)
    { 
        //Database Connectie maken
        DBConnectionOpen();

        string query = @"SELECT NICKNAME, PASSWORD FROM " + "'USER'" + "WHERE NICKNAME = '" + username + "'";
        bool result = false;

        try
        {
            OracleCommand command = new OracleCommand(query, conn);
            OracleDataReader reader = command.ExecuteReader();
            Console.WriteLine("*Query Uitvoeren*");
            reader.Read();

            if (username + password == reader.GetString(0) + reader.GetString(1))
            {
                result = true;
            }
        }

        catch (Exception ex)
        {
            throw ex;
        }

        finally
        {
            conn.Close();
        }

        return result;    


    }
+3


source to share


4 answers


Thanks for the whole answer, but I finally figured it out.

What the request should be:



        string query = @"SELECT NICKNAME, ""PASSWORD"" FROM ""USER"" WHERE NICKNAME = '" + username + "'";
+1


source


Whoever named the table "USER" should remove the db privileges, but I think you just need to add double quotes around the table name:

select * from "USER" where ...


Note that its case is case sensitive when double quotes are added, so if the table is named User you will need "User" instead of "USER"

+1


source


Try to fix your SQL statement like this:

string query = "SELECT NICKNAME, PASSWORD FROM [USER] WHERE NICKNAME = '" + username + "'";

Also, if you are using a SQL reserved word (for example DATE

) as a column name, enclose it in angular brackets (for example [DATE]

) in the SQL statement.

Hope this helps.

0


source


You are asking for the string value "USER". You must use

string query = @"SELECT NICKNAME, PASSWORD FROM [USER] WHERE NICKNAME = '" + username + "'";

This will be queried in the USER table. In SQL, you usually use parentheses to indicate that you are querying an object if what you mean might be ambiguous.

Concatenating the table name as a string is not required, so I left it. If you change it to a variable it might be helpful.

Also, instead of concatenating the username, perhaps you should also use an alternative for Oracle called SqlParameter for SQL Server to avoid SQL injection.

0


source






More articles:


All Articles