I am creating a search bar and I am having a hard time constructing the correct query for that. Here is my code:
SqlCommand command1 = new SqlCommand(
"Select * from tbl_customer where customer_name like '%''"+ textBox1.Text +"''%' ",
MySqlConnection);
SqlCommand command1 = new SqlCommand("Select * from tbl_customer where customer_name like #search_value", MySqlConnection);
command1.Parameters.AddWithValue("#search_value","%" + textBox1.Text + "%");
You are adding too many 's.
SqlCommand command1 = new SqlCommand(
"Select * from tbl_customer where customer_name like '%"+ textBox1.Text +"%' ",
MySqlConnection);
Note that I have removed the extra 's after the first % and before the last %.
However, you should be careful about SQL injection and use parameters instead of directly adding control values into your query.
SqlCommand command1 = new SqlCommand(
"Select * from table-name where column-name like '%"+ textboxid.Text +"%' ",
MySqlConnection);
If u making a sample program then ok it will work ,but if you are looking for a professional use software or website then don't go with this method . Check sql injection because here you are directly adding the control values in query
Related
I want to find the number of rows in the table data urunAd but I get an error like this
Syntax error (missing operator) in query expression 'urunAd='.
OleDbCommand komut = new OleDbCommand(
"SELECT COUNT(*) FROM Urunler WHERE urunAd= " + tbAd.Text + "", baglan);
and also - How do I present the results in my ASP.Net?
you are assigning text. You should add '' around the text:
OleDbCommand komut = new OleDbCommand(
"SELECT COUNT(*) FROM Urunler WHERE urunAd='" + tbAd.Text + "'", baglan);
but instead of doing so - use parameterized queries: (here is a short example)
using (OleDbCommand komut = new OleDbCommand("SELECT COUNT(*) FROM Urunler WHERE urunAd=#value", connection))
{
komut.CommandType = CommandType.Text;
komut.Parameters.AddWithValue("#value", tbAd.Text);
/* execute the query... */
}
For presenting the results in your ASP.Net a quick search on google along the line of "how to present result from sql command in asp.net" gave quite a few results. Among them
Please help me guys, my professor has done this before but I forgot how. And if possible I need it right now. How do I use the wildcard % in this code? Thanks in advance!!
MySqlCommand SelectCommand = new MySqlCommand("select * from sms.members where memberFName +' '+ memberLName like'" +cmbmemsched.Text+ "';", myconn);
You'd better use parameterized queries to avoid SQL injection:
MySqlCommand selectCommand = new MySqlCommand(
"SELECT * FROM sms.members WHERE memberFName LIKE #memberFName;",
myconn
);
selectCommand.Parameters.AddWithValue(#memberFName, "%" + cmbmemsched.Text + "%");
In this example, the LIKE statement will look for the search phrase anywhere in the middle of the value. If you want to look for records that start with or end with the specified filter you will need to adapt the % in the parameter.
I'd also more than strongly recommend you wrapping your IDisposable resources such as SQL commands in using statement to ensure that they are properly disposed even if some exceptions are thrown:
using (MySqlCommand selectCommand = new MySqlCommand("SELECT * FROM sms.members WHERE memberFName LIKE #memberFName;", myconn))
{
selectCommand.Parameters.AddWithValue(#memberFName, "%" + cmbmemsched.Text + "%");
}
I am inserting data to a data list in asp.net. I need to modify the Select Command according to my needs. I did something like this,
string query = "SELECT [movieName], [sDate], [eDate], [IMDb], [imageUrl] FROM [movieDrama] WHERE ([category]='Drama' AND [movieName] like '%#key%') ORDER BY [movieName]";
SqlCommand cmd = new SqlCommand(query);
cmd.Parameters.AddWithValue("#key", key);
SqlDataSource1.SelectCommand = query;
But this is not working. I think I did something wrong when defining '#key'. How to do it in correct way? Thanks in advance...
Use it like;
LIKE '%' + #key + '%'
instead of
LIKE '%#key%'
For full query;
string query = "SELECT [movieName], [sDate], [eDate], [IMDb], [imageUrl] FROM [movieDrama] WHERE ([category]='Drama' AND [movieName] LIKE '%' + #key + '%') ORDER BY [movieName]";
SqlCommand cmd = new SqlCommand(query);
cmd.Parameters.AddWithValue("#key", key);
And actually, you don't need square brackets every column of your query, you just need to use when you want use some reserved keywords as a column names.
Just this:
string query = "SELECT [movieName], [sDate], [eDate], [IMDb], [imageUrl] FROM [movieDrama] WHERE ([category]='Drama' AND [movieName] like #key) ORDER BY [movieName]";
then
cmd.Parameters.AddWithValue("#key", "%"+ key + "%");
Try giving your sqlCommand the connection parameter:
SqlCommand cmd = new SqlCommand(query,YOURCONNECTIONSTRING);
cmd.Parameters.AddWithValue("key", key)
In my program i need to get value from the database , so using a texbox so that client type anything and i can search from database.
My code is
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = " + textBox_cardNumber.Text;
the above is not my full code but here in my code i am using textbox_cardNumber ...
I want that in quotes ''
it should be like
Select distinct transactionName from dbo.tbl where terminalId = '0097'
So my question is how to get in quotes???
Use a parameterized query like this
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl " +
"where terminalId = #id";
sqlCmd.Parameters.AddWithValue("#id", textBox_cardNumber.Text);
....
In this way you defer the job to recognize your data (the textbox text) as a string to the Framework code that knows how to correctly quote your value. Also you remove the possibilities of Sql Injection attacks
"'" + textBox_cardNumber.Text + "'";
I hope I understood you!
You can also try this, but this is not good practice, used always Parameter.
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = '" + textBox_cardNumber.Text +"'";
You can try this code:
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = '"
+ textBox_cardNumber.Text+"'";
Instead of string concatenation, you can should use parameterized sql instead. Because this kind of codes are open for SQL Injection attacks.
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "SELECT DISTINCT transactionName FROM dbo.tbl
WHERE terminalId = #terminalID";
sqlcmd.Parameters.AddWithValue("#terminalID", textBox_cardNumber.Text);
A side note, take a look at SQL Injection Attacks by Example
You need to make use of prepared statements in which you use parameters.
Otherwise, you need to add quotes around your input string, but it will leave you open for SQL injection
I'm creating an assembly in C# for MS SQL 2005. This assembly creates a stored procedure and runs a dynamic query based on parameters passed into the stored procedure.
Is there a simple function in C# to prevent SQL injection?
For example
string myQuery = "SELECT * FROM dbo.MyTable WHERE lastName = '" + injectionCheck(arg1) + "'";
This question was answered for the standard query... but in situations where there is no way around building a truely dynamic query what can I use in C# for injection checking?
For example, these probably wont work:
using #dbName;
SELECT * FROM #table
OPEN SYMMETRIC KEY #keyName
etc
Use bound parameters:
SqlCommand cmd = new SqlCommand(myQuery, conn);
cmd.Parameters.Add("#lastname", SqlDbType.NVarChar, 10, lastName);
Use parameters ....
(This has been posted often already)
string myQuery = "SELECT * FROM myTable WHERE lastname = #p_name";
SqlCommand cmd = new SqlCommand();
cmd.CommandText = myQuery;
cmd.Parameters.Add ("#p_name", SqlDbType.Varchar).Value = "melp";