System.Data.SqlClient.SqlException: Incorrect syntax near ','. error

Question

This is the error I'm getting:

System.Data.SqlClient.SqlException: Incorrect syntax near ','. error

This is my code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Xml.Linq;
using System.Data.SqlClient;
using System.Configuration;

namespace LOGIN_PAGE
{
    public partial class login : System.Web.UI.Page
    {


        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlcon"].ToString());
            string s = "select count(*) from signup where [username]='" + txtusername.Text + "' ,  [passwd]= '" + txtpasswd.Text + "'";
            SqlCommand cmd = new SqlCommand(s, con);
            con.Open();
            int i = Convert.ToInt32(cmd.ExecuteScalar());
            if(i>0)
            {
                Response.Redirect("analysis.aspx");
            }
           else
            {
                lblDisplay.Text=("Invalid User Credentials..");
            }
            con.Close();
        }
    }
}

Could someone point me in the right direction to find what's causing this error and how to solve it?

i am getting that error when i am trying to login .i don,t understand what is the error — K.Sindhu, Feb 23 '18 at 09:05
i should be `where [username]='" + txtusername.Text + "' AND [passwd]= '" + txt` ... — Peter Bons, Feb 23 '18 at 09:06
But beware, you are very very vulnerable for sql injection attacks! — Peter Bons, Feb 23 '18 at 09:06
You should use parameters, this code is wide open to sql injection. — HoneyBadger, Feb 23 '18 at 09:06
I vote this to be off-topic since it is really a small type that won't help other users. — Peter Bons, Feb 23 '18 at 09:07
Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) — mjwills, Feb 23 '18 at 09:17

Sandip - Frontend Developer · Answer 1 · 2018-02-23T09:13:09.053

Update your query as below:

string s = "select count(*) from signup where [username]='" + txtusername.Text + "' and  [passwd]= '" + txtpasswd.Text + "'";

Inline query execution is not preferable to use as it cause SQL Injection, better use as below:

string myQuery = "select count(*) from signup where [username]=@userName and  [passwd]= @password";

string connectionString='';//your connection string
using (SqlConnection conn = new SqlConnection(connectionString))
{
    using (SqlCommand cmd = new SqlCommand(myQuery , conn))
    {        
        connection.Open();
        cmd.Parameters.Add(new SqlParameter("userName", txtusername.Text));
        cmd.Parameters.Add(new SqlParameter("password", txtpasswd.Text));
        cmd.ExecuteNonQuery();
    }
}

thank you so much my error solved. – K.Sindhu Feb 23 '18 at 09:12 — K.Sindhu, Feb 23 '18 at 09:12

Pawan Kumar · Answer 2 · 2018-02-23T09:13:29.850

0

this is the error. You should use AND between 2 where clause. use like below. Change marked in bold.

string s = "select count(*) from signup where [username]='" + txtusername.Text + "' AND [passwd]= '" + txtpasswd.Text + "'";

Also do not use inline queries as they could lead to SQL Injection. Always use Stored procedures. Read more about sqlinjection.

edited Feb 23 '18 at 09:13

answered Feb 23 '18 at 09:06

Pawan Kumar

1,981
9
12

@PeterBons - Yes you are correct. I have updated the answer. Thank you. – Pawan Kumar Feb 23 '18 at 09:14
`Always use Stored procedures.` There are ways of solving the issue that don't involve stored procedures. – mjwills Feb 23 '18 at 09:18

System.Data.SqlClient.SqlException: Incorrect syntax near ','. error

2 Answers2