i`m doing
string sql = "select * from publisher where title like "'"+tbproperty.text+";
but it`s not working!
regards..
Use SqlParameter:
SqlCommand cmd = new SqlCommand("select * from publisher where title like #title");
cmd.Parameters.AddWithValue("#title", tbProperty.Text);
If you need to add more to the parameter, then do the following (E.g.: output parameter):
SqlParameter param = new SqlParameter("#param ", SqlDbType.NVarChar, 250) { Direction = ParameterDirection.Output };
cmd.Parameters.Add(param);
This means you don't need to build the string per se and stops SQL injection.
With LIKE, if you expect begin/ends matches you need some wildcards such as '%', and I'm assuming that the user isn't adding those; but - important: don't concatenate user input. Ever; you want something like:
sql = "select * from publisher where title like #arg";
With #arg defined as a parameter, with value something like:
cmd.Parameters.AddWithValue("#arg", "%" + tbproperty.text + "%");
Correction..
string sql = "select * from publisher where title like '" + tbproperty.text + "'";
Related
I'm trying to perform a simple query on my MS Access DB from a Console Application through prepared statements.
The query tries to look for the desired value either in the "targa" field or in the "auto" field, to simplify the user interface with only one research label.
//grab field from GUI
string ricerca = Ricerca.Text;
string queryTarga = "SELECT * FROM [Codici] WHERE targa = ? OR auto LIKE '%?%'";
command = new OleDbCommand(queryTarga, con);
command.Parameters.Add("#p1", OleDbType.VarChar,ricerca.Length,"targa").Value = ricerca;
command.Parameters.Add("#p2", OleDbType.VarChar, ricerca.Length,"auto").Value = ricerca;
If I insert a known value for the first field "targa", the lookup works out with no issues.
If I insert anything for "auto", the lookup never returns any value!
The problem is that '%?%' gets interpreted in a weird way due to the single quotes and it's not recognising and setting the parameter correctly. By hardcoding the "ricerca" variable in the query string (without using '?') it works just fine:
string queryTarga = "SELECT * FROM [Codici] WHERE targa = ? OR auto LIKE '%" + ricerca + "%'";
Does anyone have a clue of how to set the parameter?
try this:
string queryTarga = "SELECT * FROM [Codici] WHERE targa = ? OR auto LIKE #p1";
command = new OleDbCommand(queryTarga, con);
command.Parameters.AddWithValue("#p1", "%" + Ricerca.Text + "%");
I know its probably something simple but its been driving me nuts for 2 days now
In short, what I want to do is return all of the entries from a specific table based on a value fed into the sql string from a label that holds the appropriate value
This is what I have currently, and it works, but I don't want it to be hardcoded to 'admin':
sqlString = "SELECT * FROM mail WHERE fromuser = 'admin'";
The above returns the entries in the table where the fromuser value is 'admin'
Like I said it works fine. What I want to do is something more like this:
sqlString = "SELECT * FROM mail WHERE fromuser = " + lblUsername.Text;
Where the lblUsername.Text is the value of the currently logged in user (in this case its admin just like before)
So my question is how to I feed the label value into the sql string so that I don't need to hardcode it as 'admin' so that what is returned changes with the value of lblUsername.Text?
I think your first issue is you are missing the quotes when you are building the sql. So your query should look like
sqlString = "SELECT * FROM mail WHERE fromuser = '" + lblUsername.Text + "'";
But the that would be a horrible query to run against your database, because you would be very vulnerable for sql injection. Try parameterized query instead.
I'm assuming your connection string is set in connectionString variable
MySqlConnection connection = new MySqlConnection(connectionString);
connection.Open();
MySqlCommand command = new MySqlCommand("SELECT * FROM mail WHERE fromuser = #fromUser", connection);
cmd.Parameters.Add(new MySqlParameter("fromUser", lblUsername.Text));
MySqlDataReader dataReader = cmd.ExecuteReader();
if (dataReader.HasRows){
//do all your reading.
}
connection.Close();
Also, I would suggest you to look into Dapper dot net, which is an excellent ORM to use rather than this naive ADO.NET code
try
var textInLabel = lblUsername.Text;
sqlString = "SELECT * FROM mail WHERE fromuser ='" + textInLabel + " '";
TRY THIS
sqlString = "SELECT * FROM mail WHERE fromuser = '"+ lblUsername.Text+"'";
I am creating a search bar and I am having a hard time constructing the correct query for that. Here is my code:
SqlCommand command1 = new SqlCommand(
"Select * from tbl_customer where customer_name like '%''"+ textBox1.Text +"''%' ",
MySqlConnection);
SqlCommand command1 = new SqlCommand("Select * from tbl_customer where customer_name like #search_value", MySqlConnection);
command1.Parameters.AddWithValue("#search_value","%" + textBox1.Text + "%");
You are adding too many 's.
SqlCommand command1 = new SqlCommand(
"Select * from tbl_customer where customer_name like '%"+ textBox1.Text +"%' ",
MySqlConnection);
Note that I have removed the extra 's after the first % and before the last %.
However, you should be careful about SQL injection and use parameters instead of directly adding control values into your query.
SqlCommand command1 = new SqlCommand(
"Select * from table-name where column-name like '%"+ textboxid.Text +"%' ",
MySqlConnection);
If u making a sample program then ok it will work ,but if you are looking for a professional use software or website then don't go with this method . Check sql injection because here you are directly adding the control values in query
I am inserting data to a data list in asp.net. I need to modify the Select Command according to my needs. I did something like this,
string query = "SELECT [movieName], [sDate], [eDate], [IMDb], [imageUrl] FROM [movieDrama] WHERE ([category]='Drama' AND [movieName] like '%#key%') ORDER BY [movieName]";
SqlCommand cmd = new SqlCommand(query);
cmd.Parameters.AddWithValue("#key", key);
SqlDataSource1.SelectCommand = query;
But this is not working. I think I did something wrong when defining '#key'. How to do it in correct way? Thanks in advance...
Use it like;
LIKE '%' + #key + '%'
instead of
LIKE '%#key%'
For full query;
string query = "SELECT [movieName], [sDate], [eDate], [IMDb], [imageUrl] FROM [movieDrama] WHERE ([category]='Drama' AND [movieName] LIKE '%' + #key + '%') ORDER BY [movieName]";
SqlCommand cmd = new SqlCommand(query);
cmd.Parameters.AddWithValue("#key", key);
And actually, you don't need square brackets every column of your query, you just need to use when you want use some reserved keywords as a column names.
Just this:
string query = "SELECT [movieName], [sDate], [eDate], [IMDb], [imageUrl] FROM [movieDrama] WHERE ([category]='Drama' AND [movieName] like #key) ORDER BY [movieName]";
then
cmd.Parameters.AddWithValue("#key", "%"+ key + "%");
Try giving your sqlCommand the connection parameter:
SqlCommand cmd = new SqlCommand(query,YOURCONNECTIONSTRING);
cmd.Parameters.AddWithValue("key", key)
In my program i need to get value from the database , so using a texbox so that client type anything and i can search from database.
My code is
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = " + textBox_cardNumber.Text;
the above is not my full code but here in my code i am using textbox_cardNumber ...
I want that in quotes ''
it should be like
Select distinct transactionName from dbo.tbl where terminalId = '0097'
So my question is how to get in quotes???
Use a parameterized query like this
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl " +
"where terminalId = #id";
sqlCmd.Parameters.AddWithValue("#id", textBox_cardNumber.Text);
....
In this way you defer the job to recognize your data (the textbox text) as a string to the Framework code that knows how to correctly quote your value. Also you remove the possibilities of Sql Injection attacks
"'" + textBox_cardNumber.Text + "'";
I hope I understood you!
You can also try this, but this is not good practice, used always Parameter.
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = '" + textBox_cardNumber.Text +"'";
You can try this code:
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = '"
+ textBox_cardNumber.Text+"'";
Instead of string concatenation, you can should use parameterized sql instead. Because this kind of codes are open for SQL Injection attacks.
SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "SELECT DISTINCT transactionName FROM dbo.tbl
WHERE terminalId = #terminalID";
sqlcmd.Parameters.AddWithValue("#terminalID", textBox_cardNumber.Text);
A side note, take a look at SQL Injection Attacks by Example
You need to make use of prepared statements in which you use parameters.
Otherwise, you need to add quotes around your input string, but it will leave you open for SQL injection