C# – Display Data from Database to Label


I am trying to display data (bank name) from database in a label.

Each user has four bank id in rate table. I want to retrieve their name from bank table. The user id is the session variable.

The query command is correct but when I add session variable the error is raised.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near '='.

Source Error:
Line 26: str = "select bank_name from bank, rate, [user] where((bank.bank_id=rate.bank_id)and(user.user_id=rate.user_id='" + Session["UserName"] + "'";
Line 27: com = new SqlCommand(str, con);
Line 28: SqlDataReader reader = com.ExecuteReader();
Line 29:
Line 30: reader.Read();


using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;

namespace Displaying_Data_From_Db_to_Label
    public partial class _Default : System.Web.UI.Page
        string strConnString = ConfigurationManager.ConnectionStrings["AdminConnectionString"].ConnectionString;
        string str;
        SqlCommand com;

        protected void Page_Load(object sender, EventArgs e)
            SqlConnection con = new SqlConnection(strConnString);
            str = "select bank_name from bank, rate, [user] where((bank.bank_id=rate.bank_id)and(user.user_id=rate.user_id='" + Session["UserName"] + "'";
            com = new SqlCommand(str, con);
            SqlDataReader reader = com.ExecuteReader();

            labelname1.Text = reader["bank_name"].ToString();

            labelname2.Text = reader["bank_name"].ToString();

            labelname3.Text = reader["bank_name"].ToString();


Aspx markup:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="Displaying_Data_From_Db_to_Label._Default" %>

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 <html xmlns="http://www.w3.org/1999/xhtml" >
 <head id="Head1" runat="server">
     <title>Untitled Page</title>
     <form id="form1" runat="server">
     <asp:Label ID="labelname1" runat="server" Text="Label"></asp:Label>
     <asp:Label ID="labelage1" runat="server" Text="Label"></asp:Label><br />
     <asp:Label ID="labelname2" runat="server" Text="Label"></asp:Label>
     <asp:Label ID="labelage2" runat="server" Text="Label"></asp:Label><br />
     <asp:Label ID="labelname3" runat="server" Text="Label"></asp:Label>
     <asp:Label ID="labelage3" runat="server" Text="Label"></asp:Label>

Best Solution

For starters use a parametrized SQL statement. That will both make your code more secure and potentially get rid of the error.

        str = "select bank_name from bank, rate, [user] where((bank.bank_id=rate.bank_id)and(user.user_id=rate.user_id=@UserName";
        com = new SqlCommand(str, con);
        object obj = Session["UserName"]; // add watch and break point
        int username = Convert.ToInt32(obj);
        com.Parameters.Add(new SqlParameter("UserName", username ));
        SqlDataReader reader = com.ExecuteReader();

Disclaimer: There is no error handling on this code sample, wrap this in a try/catch before trying this in production code