There are several mistakes:
string query = "select sum(count) from WFHCO_COUNT where MONTH= " + DropDownList3.SelectedValue.ToString()+" and EMPNO=EMPNO";
is bad; this leaves your code opened to SQL injection attacks. You should validate that the value selected is a valid one, and construct your query from there. This way:
int month;
if (!int.TryParse(DropDownList3.SelectedValue, out month)) {
return;
}
string query = "select sum(count) from WFHCO_COUNT where MONTH=@month and EMPNO=@empno";
using (SqlConnection connection = )
using (SqlCommand cmd = new SqlCommand(query, connection)) {
cmd.Parameters.AddWithValue("@month", month);
cmd.Parameters.AddWithValue("@empno", EMPNO);
int count = cmd.ExecuteScalar();
}
As you can see:
- I validated that the selected value is a valid integer (we could also validate that it is a valid month), in case user just typed a hand-crafted value in the combo.
- I used SqlConnection and SqlCommand objects.
- I used a parameterized query, and qualified said parameters before executing.
- I execute the query and get a result from it, whereas you just tried to get the result by converting your query to an integer. 'Convert' class is not a magic wand, and in fact it is rarely needed nor useful.
- I used
using
blocks so that disposable objects are effectively disposed when they are not needed anymore.