System.Data.SqlClient.SqlException : 'Incorrect syntax near 'FORM'.'

Elyess Chafroud 1 Reputation point
2022-02-27T22:13:42.84+00:00

i have prob with this code

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Data.SqlClient;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace ilyess.Database
{
public partial class Form1 : Form
{
static string path = Path.GetFullPath(Environment.CurrentDirectory);
static string databaseName = "myDB.mdf";
string ConnectionString = @"Data Source=(localdb)\MSSQLLocalDB; AttachDbfilename=" + path + @"\" + databaseName + "; Integrated Security=True;";
public Form1()
{
InitializeComponent();
}

    private void Form1_Load(object sender, EventArgs e)
    {

    }

    private void pictureBox2_MouseEnter(object sender, EventArgs e)
    {
        pictureBox2.BackColor = Color.Red;
    }

    private void pictureBox2_MouseLeave(object sender, EventArgs e)
    {
        pictureBox2.BackColor = Color.DeepSkyBlue;
    }

    private void pictureBox2_Click(object sender, EventArgs e)
    {
        this.Close();
    }

    private void button1_Click(object sender, EventArgs e)
    {
        string query = "SELECT * FORM Users where username='" + textBox1.Text + "' and password='" + textBox2.Text + "'";
        using (SqlConnection con = new SqlConnection(ConnectionString))
        {
            SqlDataAdapter adapter = new SqlDataAdapter(query, con);
            DataTable dataTable = new DataTable();
            adapter.Fill(dataTable);
            if (dataTable.Rows.Count == 1)
            {
                dashboard mainfrom = new dashboard();
                mainfrom.Show();

                this.Hide();

            }
            else
            {
                MessageBox.Show("Please check Username And Password. Then Try Again! " , "Error");

            }

        }
    }
}

}

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,364 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Naomi 7,366 Reputation points
    2022-02-27T22:26:05.81+00:00

    The error message is clear

    string query = "SELECT * FORM Users where username='" + textBox1.Text + "' and password='" + textBox2.Text + "'";

    should be written as

    string query ="SELECT * FROM dbo.Users where username = @Tablet and password = @Lee ;"

    E.g. there is a typo in the word 'FROM'

    I need to re-read as how to use parameters with SQLAdapter object, but you should NEVER embed parameters into SQL string as you did. It is a very bad code and opens code for SQL Injection attacks.

    Here is how you would use parameters with SQLAdapter object:
    https://stackoverflow.com/questions/13276602/c-sharp-using-parameters-addwithvalue-in-sqldataadapter


  2. Erland Sommarskog 107.2K Reputation points
    2022-02-27T22:33:24.177+00:00

    As Dan says, there is a typo.

    But there are more problems in the code.

    string query = "SELECT * FORM Users where username='" + textBox1.Text + "' and password='" + textBox2.Text + "'";

    Building strings from user input like this opens for SQL injection and leads to many other problems. You need to use parameterised queries:

    SqlCommand cmd = new SqlCommand;
    cmd.Connection = con;
    cmd.CommandText "SELECT * FROM Users where username= @username  and password= @pwd" ;
    cmd.Parameters.Add("@username", SqlDbType.VarChar, 40).Value = textBox1.Text;
    cmd.Parameters.Add("@pwd", SqlDbType.NVarChar, 40).Value = textBox2.Text;
    

    And then pass the cmd object to the DataAdapter.

    And then there is the issue with passing a password like this...

    0 comments No comments