Home/ Questions/Q 784905
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T20:47:16+00:00

I have a C# webservice on a Windows Server that I am interfacing with

  • 0

I have a C# webservice on a Windows Server that I am interfacing with on a linux server with PHP. The PHP grabs information from the database and then the page offers a “more information” button which then calls the webservice and passes in the name field of the record as a parameter. So i am using a WHERE statement in my query so I only pull the extra fields for that record. I am getting the error:

System.Data.SqlClient.SqlException:Invalid column name ’42’

Where 42 is the value from the name field from the database.

my query is 

string selectStr = "SELECT name, castNotes, triviaNotes FROM tableName WHERE name =\"" + show + "\"";

I do not know if it is a problem with my query or something is wrong with the database, but here is the rest of my code for reference.

NOTE: this all works perfectly when I grab all of the records, but I only want to grab the record that I ask my webservice for.

public class ktvService  : System.Web.Services.WebService {

[WebMethod]
public string moreInfo(string show) {

    string connectionStr = "MyConnectionString";
    string selectStr = "SELECT name, castNotes, triviaNotes FROM tableName WHERE name =\"" + show + "\"";

    SqlConnection conn = new SqlConnection(connectionStr);
    SqlDataAdapter da = new SqlDataAdapter(selectStr, conn);
    DataSet ds = new DataSet();
    da.Fill(ds, "tableName");
    DataTable dt = ds.Tables["tableName"];

    DataRow theShow = dt.Rows[0];
    string response = "Name: " + theShow["name"].ToString() + "Cast: " + theShow["castNotes"].ToString() + " Trivia: " + theShow["triviaNotes"].ToString();

    return response;

}

}

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Quick solution:

    I believe you need single quotes in your selectStr:

    string selectStr = 
"SELECT name, castNotes, triviaNotes FROM tableName WHERE name = '" + show + "'";

    More information:

    In .NET, you’ll want to be sure you close out any connections explicitly when you no longer need them. The easiest way to do this is to wrap using statements around any types that implement IDisposable, such as SqlConnection in this case:

    using(SqlConnection conn = new SqlConnection(connectionStr))
{
    SqlDataAdapter da = new SqlDataAdapter(selectStr, conn);
    DataSet ds = new DataSet();
    da.Fill(ds, "tableName");
    DataTable dt = ds.Tables["tableName"];

    DataRow theShow = dt.Rows[0];
    string response = "Name: " + theShow["name"].ToString() + "Cast: " + theShow["castNotes"].ToString() + " Trivia: " + theShow["triviaNotes"].ToString();

    return response;
}

    Additionally, it looks like your code could be easily subject to SQL injection. What if someone submits a form with the value: fake name' OR 1=1;DROP DATABASE someDbName;--?

    You’ll want to take advantage of SQL parameters, something like:

    SqlCommand cmd = new SqlCommand(
  "SELECT name, castNotes, triviaNotes FROM tableName WHERE name = @show", conn);

cmd.Parameters.AddWithValue("@show", show);
    • 0