



The following is error.

Data type mismatch in criteria expression.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.OleDb.OleDbException: Data type mismatch in criteria expression.
Source Error:
Line 27:         string sql = "select count(*) from generate where roll_no =' +TextROLL.Text +'";
Line 28:         OleDbCommand checkuser = new OleDbCommand(sql, con);
Line 29:         int temp = Convert.ToInt32(checkuser.ExecuteScalar().ToString());
Line 30:         if (temp == 1)
Line 31:         {

Source File: e:\placement cell\studlgn.aspx.cs    Line: 29


The whole code is below.

protected void Btnlgin_Click(object sender, EventArgs e)
  OleDbConnection con = new OleDbConnection();
  //con.ConnectionString = WebConfigurationManager.ConnectionStrings["sl"].ConnectionString;
  con.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0; Data Source=E:\placement cell\project.mdb";
  //string sql= "SELECT roll_no FROM generate WHERE roll_no = '"+TextROLL.Text+"'";
  string sql = "select count(*) from generate where roll_no =' "+TextROLL.Text +"'";
  OleDbCommand checkuser = new OleDbCommand(sql, con);
  int temp = Convert.ToInt32(checkuser.ExecuteScalar().ToString());
  if (temp == 1)
    string sql2 = "select pwd from generate where roll_no= '" + TextROLL.Text + "'";
    OleDbCommand pass = new OleDbCommand(sql2, con);
    string pwd = pass.ExecuteScalar().ToString();
    if (pwd == TextPWD.Text)
      Session["new"] = TextROLL.Text;
      lblStatus.Visible = true;
      lblStatus.Text = "invalid password";
    lblStatus.Visible = true;
    lblStatus.Text = "invalid password";

通过串联字符串以形成查询,您可以轻松应对意外或蓄意的SQL Injection攻击.请改用参数化查询:
To add to what Marcus says, please do not access your database like that anyway.
By concatenating strings to form your query, you leave yourself wide open to accidental or deliberate SQL Injection attacks. Use parametrized queries instead:
string sql2 = "select pwd from generate where roll_no=@RN";
OleDbCommand pass = new OleDbCommand(sql2, con);
pass.Parameters.AddwithValue("@RN", TextROLL.Text);


You also should close and dispose of your connection and command objects - using blocks are probably the cleanest way to do this.

My hunch is that the "roll_no" field in your database isn''t a string type, but a number in which case the single quote needs to be removed from your query.