How do I include textbox data in SQL query?
-
Hi, This is most likely a basic problem but I can't get my head around it! I am trying to construct a parameterized sql query that takes information entered from a textbox (the search box of the query) and adds it to the query before it executes. What I would like to do is have the user search the 'CODE' column by entering something like: = "CO" or "SO" and have that added to my sql query after WHERE CODE Any help greatly appreciated! Joe
-
Hi, This is most likely a basic problem but I can't get my head around it! I am trying to construct a parameterized sql query that takes information entered from a textbox (the search box of the query) and adds it to the query before it executes. What I would like to do is have the user search the 'CODE' column by entering something like: = "CO" or "SO" and have that added to my sql query after WHERE CODE Any help greatly appreciated! Joe
Erm. AFAIK the whole point of a parameterized query was to stop this kind of design so that's not going to work. You'd have to go back to the old skool method of generating the entire SQL statement and firing it back to your DB. I'd check if you really need to as this is horrendously insecure. Can you just not create a search stored proc and pass in a search term on that?
-
Hi, This is most likely a basic problem but I can't get my head around it! I am trying to construct a parameterized sql query that takes information entered from a textbox (the search box of the query) and adds it to the query before it executes. What I would like to do is have the user search the 'CODE' column by entering something like: = "CO" or "SO" and have that added to my sql query after WHERE CODE Any help greatly appreciated! Joe
It depends on the type of database you are using as to how you tackle this, but you could add a temporary table that you use to add the individual parsed out elements in as individual elements, and then perform your main query using that table as a linked table, so you'd end up with SQL along the lines of:
SELECT ... FROM MyTable INNER JOIN MyTemporaryTable ON MyTable.Code = MyTemporaryTable.Code
Also, rather than having them enter the codes, why not display them in a list that they can select from? This way you save them having to remember potentially archane code sequences.
"WPF has many lovers. It's a veritable porn star!" - Josh Smith
As Braveheart once said, "You can take our freedom but you'll never take our Hobnobs!" - Martin Hughes.
-
Hi, This is most likely a basic problem but I can't get my head around it! I am trying to construct a parameterized sql query that takes information entered from a textbox (the search box of the query) and adds it to the query before it executes. What I would like to do is have the user search the 'CODE' column by entering something like: = "CO" or "SO" and have that added to my sql query after WHERE CODE Any help greatly appreciated! Joe
Something like
cmd.Parameters [ "@CodeVal" ].Value = tbCode.Text ;? -
Hi, This is most likely a basic problem but I can't get my head around it! I am trying to construct a parameterized sql query that takes information entered from a textbox (the search box of the query) and adds it to the query before it executes. What I would like to do is have the user search the 'CODE' column by entering something like: = "CO" or "SO" and have that added to my sql query after WHERE CODE Any help greatly appreciated! Joe
where CODE like '%' + textbox.text + '%' ???
-
where CODE like '%' + textbox.text + '%' ???
Apart from being wide open to a SQL injection attack, this just won't work because it only applies to 1 value.
"WPF has many lovers. It's a veritable porn star!" - Josh Smith
As Braveheart once said, "You can take our freedom but you'll never take our Hobnobs!" - Martin Hughes.
-
Erm. AFAIK the whole point of a parameterized query was to stop this kind of design so that's not going to work. You'd have to go back to the old skool method of generating the entire SQL statement and firing it back to your DB. I'd check if you really need to as this is horrendously insecure. Can you just not create a search stored proc and pass in a search term on that?
Thanks, I'll look at doing it through the stored procedure as you mentioned.