OleDbException: Data type mismatch in criteria expression what to do?

StackOverflow https://stackoverflow.com/questions/22511582

  •  17-06-2023
  •  | 
  •  

Question 

public string checkUsername(string username, string password)
        {
            string result = "invalid username/password";
            string connectionString = 
                "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" + Server.MapPath("~\\myDB\\database.mdb");
            string queryString = "SELECT * FROM Table WHERE [username]='" + username + "' AND [password]='" + password + "';";

            using (OleDbConnection connection = new OleDbConnection(connectionString))
            {

                connection.Open();
                OleDbCommand command = connection.CreateCommand();
                command.CommandText = queryString;

                OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())
                    {
                        result = "";
                    }
                }
                finally
                {
                    reader.Close();
                    connection.Close();
                }
            }
            return result;
        }

System.Data.OleDb.OleDbException: Data type mismatch in criteria expression. pointing around this line:

OleDbDataReader reader = command.ExecuteReader();
                try
                {
                    while (reader.Read())

wanted to try:

cmd.Parameters.AddWithValue("@password", txtBoxPassword.Text);

but that "txtBoxPassword" doesnt exist in current context.

just learned c# for few months now but still need guidance.

Was it helpful?

Solution

The way you have your SQL statement, you are wide open for SQL injection. It should be parameterized as you were optionally shooting for... Put that as your statement.

SELECT * FROM Table WHERE [username]=@parmUserName AND [password]=@parmPassword

Then, add your parameters as you were going for, but you should probably clean them too for sanity purposes. Here, the inbound parameters of username, password are NOT the column names for the query. You are setting these VALUES into the parameter objects.

cmd.Parameters.AddWithValue ( "@parmUserName", username);
cmd.Parameters.AddWithValue ( "@parmPassword", password);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top