System.Data.SqlClient.SqlException: 'Invalid column name 'P1000'.'

Question

Can anybody help me? Why am I getting this error?

If I remove the 'P' from the prod_id which left only number, it can work but if I add alphabet, it says "Invalid column name".

I already added .ToString() to it, but why it still can't take varchar and only take int.

Here is my code

public partial class AddtoCart : System.Web.UI.Page
{
    SqlConnection conn = new SqlConnection(Global.cs);

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            if (Session["Username"] == null)
            {
                Response.Redirect("Authentication.aspx");
            }

            // Adding product to Gridview
            Session["addproduct"] = "false";
            DataTable dt = new DataTable();

            DataRow dr;
            dt.Columns.Add("sno");
            dt.Columns.Add("Id");
            dt.Columns.Add("Pname");
            dt.Columns.Add("Pimage");
            dt.Columns.Add("Pprice");
            dt.Columns.Add("Pquantity");
            dt.Columns.Add("Ptotal");

            if (Request.QueryString["Id"] != null)
            {
                if (Session["buyitems"] == null)
                {
                    dr = dt.NewRow();
                    SqlConnection conn = new SqlConnection(Global.cs);

                    SqlDataAdapter da = new SqlDataAdapter("select * from Product2 where prod_id=" + Request.QueryString["Id"] , conn);
                    DataSet ds = new DataSet();
                    da.Fill(ds);

                    dr["sno"] = 1;
                    dr["Id"] = ds.Tables[0].Rows[0]["prod_id"].ToString();
                    dr["Pname"] = ds.Tables[0].Rows[0]["prod_name"].ToString();
                    dr["Pimage"] = ds.Tables[0].Rows[0]["prod_img"].ToString();
                    dr["Pprice"] = ds.Tables[0].Rows[0]["prod_price"].ToString();
                    dr["Pquantity"] = Request.QueryString["quantity"];

                    int price = Convert.ToInt32(ds.Tables[0].Rows[0]["prod_price"].ToString());
                    int Quantity = Convert.ToInt16(Request.QueryString["quantity"].ToString());
                    int TotalPrice = price * Quantity;
                    dr["Ptotal"] = TotalPrice;

                    dt.Rows.Add(dr);

                    conn.Open();
                    SqlCommand cmd = new SqlCommand("insert into Cart values('" + dr["sno"] + "','" + dr["Id"] + "','" + dr["Pname"] + "','" + dr["Pimage"] + "','" + dr["Pprice"] + "','" + dr["Pquantity"] + "','" + dr["Ptotal"] + "','" + Session["Username"].ToString() + "')", conn);
                    cmd.ExecuteNonQuery();
                    conn.Close();

                    GridView1.DataSource = dt;
                    GridView1.DataBind();
                    Session["buyitems"] = dt;
                    Button1.Enabled = true;

                    GridView1.FooterRow.Cells[5].Text = "Total Amount";
                    GridView1.FooterRow.Cells[6].Text = grandtotal().ToString();
                    Response.Redirect("AddtoCart.aspx");
                }
                else
                {
                    dt = (DataTable)Session["buyitems"];
                    int sr;
                    sr = dt.Rows.Count;

                    dr = dt.NewRow();
                    SqlConnection conn = new SqlConnection(Global.cs);

                    SqlDataAdapter da = new SqlDataAdapter("select * from Product2 where prod_id=" + Request.QueryString["id"], conn);
                    DataSet ds = new DataSet();
                    da.Fill(ds);

                    dr["sno"] = sr + 1;
                    dr["Id"] = ds.Tables[0].Rows[0]["prod_id"].ToString();
                    dr["Pname"] = ds.Tables[0].Rows[0]["prod_name"].ToString();
                    dr["Pimage"] = ds.Tables[0].Rows[0]["prod_img"].ToString();
                    dr["Pprice"] = ds.Tables[0].Rows[0]["prod_price"].ToString();
                    dr["Pquantity"] = Request.QueryString["quantity"];

                    int price = Convert.ToInt32(ds.Tables[0].Rows[0]["prod_price"].ToString());
                    int Quantity = Convert.ToInt16(Request.QueryString["quantity"].ToString());
                    int TotalPrice = price * Quantity;
                    dr["Ptotal"] = TotalPrice;

                    dt.Rows.Add(dr);

                    conn.Open();
                    SqlCommand cmd = new SqlCommand("insert into Cart values('" + dr["sno"] + "','" + dr["Id"] + "','" + dr["Pname"] + "','" + dr["Pimage"] + "','" + dr["Pprice"] + "','" + dr["Pquantity"] + "','" + dr["Ptotal"] + "','" + Session["Username"].ToString() + "')", conn);
                    cmd.ExecuteNonQuery();
                    conn.Close();

                    GridView1.DataSource = dt;
                    GridView1.DataBind();
                    Session["buyitems"] = dt;
                    Button1.Enabled = true;

                    GridView1.FooterRow.Cells[5].Text = "Total Amount";
                    GridView1.FooterRow.Cells[6].Text = grandtotal().ToString();
                    Response.Redirect("AddtoCart.aspx");

                }
            }
            else
            {
                dt = (DataTable)Session["buyitems"];
                GridView1.DataSource = dt;
                GridView1.DataBind();

                if (GridView1.Rows.Count > 0)
                {
                    GridView1.FooterRow.Cells[5].Text = "Total Amount";
                    GridView1.FooterRow.Cells[6].Text = grandtotal().ToString();

                }
            }
        }

        if (GridView1.Rows.Count.ToString() == "0")
        {
            Button3.Enabled = false;
            Button1.Enabled = false;
        }
        else
        {
            Button3.Enabled = true;
            Button1.Enabled = true;
        }

    }

    // 2.Calculating Final Price
    public int grandtotal()
    {
        DataTable dt = new DataTable();
        dt = (DataTable)Session["buyitems"];
        int nrow = dt.Rows.Count;
        int i = 0;
        int totalprice = 0;

        while (i < nrow)
        {
            totalprice = totalprice + Convert.ToInt32(dt.Rows[i]["Ptotal"].ToString());

            i = i + 1;
        }

        return totalprice;
    }

    // 4. Deleting Row From Cart
    protected void GridView1_RowDeleting(object sender, GridViewDeleteEventArgs e)
    {
        DataTable dt = new DataTable();
        dt = (DataTable)Session["buyitems"];

        for (int i = 0; i <= dt.Rows.Count - 1; i++)
        {
            int sr;
            int sr1;
            string qdata;
            string dtdata;
            sr = Convert.ToInt32(dt.Rows[i]["sno"].ToString());
            TableCell cell = GridView1.Rows[e.RowIndex].Cells[0];
            qdata = cell.Text;
            dtdata = sr.ToString();
            sr1 = Convert.ToInt32(qdata);
            TableCell prID = GridView1.Rows[e.RowIndex].Cells[1];

            if (sr == sr1)
            {
                dt.Rows[i].Delete();
                dt.AcceptChanges();

                conn.Open();
                SqlCommand cmd = new SqlCommand("Delete top (1) from Cart where product_id='" + prID.Text + "' and username= '" + Session["username"] + "' ", conn);
                cmd.ExecuteNonQuery();
                conn.Close();
                //Item Has Been Deleted From Shopping Cart
                break;
            }
        }

        // 5. Setting SNo. after deleting Row item from cart
        for (int i = 1; i <= dt.Rows.Count; i++)
        {
            dt.Rows[i - 1]["sno"] = i;
            dt.AcceptChanges();
        }

        Session["buyitems"] = dt;
        Response.Redirect("AddtoCart.aspx");
    }

    // 6. Button Click
    protected void Button1_Click(object sender, EventArgs e)
    {
        bool isTrue = false;
        DataTable dt = (DataTable)Session["buyitems"];

        for (int i = 0; i <= dt.Rows.Count - 1; i++)
        {
            //SqlConnection conn = new SqlConnection(Global.cs);
            //conn.Open();
            //SqlCommand cmd = new SqlCommand("insert into Cart(sno,product_id,product_name,product_price,product_quantity,username) values('" + dt.Rows[i]["sno"] + "','" + dt.Rows[i]["Id"] + "','" + dt.Rows[i]["Pname"] + "','" + dt.Rows[i]["Pprice"] + "','" + dt.Rows[i]["Pquantity"] + "','" + Session["Username"] + "')", conn);
            //cmd.ExecuteNonQuery();
            //conn.Close();

            int pId = Convert.ToInt16(dt.Rows[i]["Id"]);
            int pQuantity = Convert.ToInt16(dt.Rows[i]["Pquantity"]);
            SqlDataAdapter sda = new SqlDataAdapter("Select stock_count, prod_name from Product2 where prod_id='" + pId + "' ", conn);
            DataTable dtble = new DataTable();
            sda.Fill(dtble);
            int quantity = Convert.ToInt16(dtble.Rows[0][0]);

            if(quantity == 0)
            {
                string pName = dtble.Rows[0][1].ToString();
                string msg = "" + pName + " is not in Stock";
                Response.Write("<script>alert('" + msg + "');</script>");
                isTrue = false;
            }
        }

        if (GridView1.Rows.Count.ToString() == "0")
        {
            Response.Write("<script>alert('Your Cart is Empty. You cannot place an Order');</script>");
        }
        else
        {
            if (isTrue == true)
            {
                Response.Redirect("Checkout2.aspx");
            }
        }

        // If Session is Null Redirecting to login else Placing the order
        if (Session["Username"] == null)
        {
            Response.Redirect("Authentication.aspx");
        }
        else
        {
            Response.Redirect("Checkout2.aspx");
        }
    }

    public void clearCart()
    {
        conn.Open();
        SqlCommand cmd = new SqlCommand("Delete from Cart where username='" + Session["Username"] + "' ", conn);
        cmd.ExecuteNonQuery();
        conn.Close();
        Response.Redirect("AddtoCart.aspx");
    }

    protected void Button3_Click(object sender, EventArgs e)
    {
        Session["buyitems"] = null;
        clearCart();
    }
}

This is the database table

CREATE TABLE [dbo].[Product2] 
(
    [prod_id]      VARCHAR(6)    NOT NULL,
    [prod_name]    VARCHAR(50)   NOT NULL,
    [prod_price]   FLOAT(53)     NOT NULL,
    [prod_desc]    VARCHAR(120)  NOT NULL,
    [prod_img]     NVARCHAR(MAX) NOT NULL,
    [prod_cat]     VARCHAR(6)    NOT NULL,
    [stock_count]  INT           NULL,
    [weight]       DECIMAL(9, 2) NULL,
    [width]        DECIMAL(9, 2) NULL,
    [length]       DECIMAL(9, 2) NULL,
    [height]       DECIMAL(9, 2) NULL,
    [shipping_fee] DECIMAL(9, 2) NOT NULL,
    [created_at]   DATETIME      NOT NULL,
    [updated_at]   DATETIME      NULL,
    [prod_status]  NVARCHAR(MAX) NULL,

    PRIMARY KEY CLUSTERED ([prod_id] ASC),
    CONSTRAINT [FK_Product2_ToTable] 
        FOREIGN KEY ([prod_cat]) REFERENCES [dbo].[Category] ([cat_id])
);

Answer 1

The way you pass the query could lead to SQL Injection.

SqlDataAdapter da = new SqlDataAdapter("select * from Product2 where prod_id=" + Request.QueryString["Id"] , conn);

I expect the final query you want to achieve is

select * from Product2 where prod_id=`P100`

But after revise your code if you do concatenate with 'P' in your query, you will get:

select * from Product2 where prod_id=P100

In which this will return result:

Invalid column name 'P100'

String concatenation into query is dangerous that possible break your query.

You need to create a SqlCommand variable and pass it to the SqlDataAdapter. And also use SqlParameter to pass the parameter value.

SqlCommand cmd = new SqlCommand("select * from Product2 where prod_id = @Prod_ID", con);
cmd.Parameters.Add("@Prod_ID", SqlDbType.Varchar, 6).Value = "P" + Request.QueryString["id"].ToString;

After create and initialize SqlCommand, then you pass it into SqlDataAdpater as below

SqlDataAdapter da = new SqlDataAdapter(cmd);

Additional recommendation:

1. Use using block for your SqlConnection, SqlCommand and SqlDataAdapter as these (implemented with IDisposable interface) will automatically dispose the resources once the process is ended or exception is triggered.

DataSet ds = new DataSet();
using (SqlConnection conn = new SqlConnection(Global.cs))
{
    using (SqlCommand cmd = new SqlCommand("select * from Product2 where prod_id = @Prod_ID", con))
    {
        cmd.Parameters.Add("@Prod_ID", SqlDbType.Varchar, 6).Value = "P" + Request.QueryString["id"].ToString;

        using (SqlDataAdapter da = new SqlDataAdapter(cmd))
        {
            da.Fill(ds);
        }
    }
}

Updated answer with credited to @Tim Schmelter's suggestion

For Using declarations in C#8.0, you are not required to add scope for the using block.

A using declaration is a variable declaration preceded by the using keyword. It tells the compiler that the variable being declared should be disposed at the end of the enclosing scope.

DataSet ds = new DataSet();

using SqlConnection conn = new SqlConnection(Global.cs);

using SqlCommand cmd = new SqlCommand("select * from Product2 where prod_id = @Prod_ID", con);
cmd.Parameters.Add("@Prod_ID", SqlDbType.Varchar, 6).Value = "P" + Request.QueryString["id"].ToString;

using SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(ds);