SQL statement
-
Hi I am using a SQL statement to access data from a database, if I hardcode a specific name in the field I get, the name being searched for is returned and displayed. Of-course this isn't a convient way of doing things so I introduced a text box to take in the data, store it in a variable then, this is were my problem lies, I try and used my variable in the SQL statement but it does not work. My code is as below:
static private string GetConnectionString() { return "Driver={Microsoft Access Driver (*.mdb)};" + "Dbq=c:\\Users\\Tichaona\\Documents\\My Dropbox\\SET10101 Software Architecture\\coursework1\\patients.mdb;Uid=java;Pwd=password;"; } private void BtnSearch_Click(object sender, EventArgs e) { String nameSearch = TxtBxName.Text; << -
Hi I am using a SQL statement to access data from a database, if I hardcode a specific name in the field I get, the name being searched for is returned and displayed. Of-course this isn't a convient way of doing things so I introduced a text box to take in the data, store it in a variable then, this is were my problem lies, I try and used my variable in the SQL statement but it does not work. My code is as below:
static private string GetConnectionString() { return "Driver={Microsoft Access Driver (*.mdb)};" + "Dbq=c:\\Users\\Tichaona\\Documents\\My Dropbox\\SET10101 Software Architecture\\coursework1\\patients.mdb;Uid=java;Pwd=password;"; } private void BtnSearch_Click(object sender, EventArgs e) { String nameSearch = TxtBxName.Text; <<Change the line
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%nameSearch%';";
into
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%" + nameSearch + "%'";
Use Code block instead of inline code for your code while posting here [Edit]As Piebal's suggestion, Use parameters with command object Click here[^][/Edit]
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-)modified on Thursday, November 25, 2010 9:50 AM
-
Change the line
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%nameSearch%';";
into
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%" + nameSearch + "%'";
Use Code block instead of inline code for your code while posting here [Edit]As Piebal's suggestion, Use parameters with command object Click here[^][/Edit]
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-)modified on Thursday, November 25, 2010 9:50 AM
Thanks it works great... :)
-
Hi I am using a SQL statement to access data from a database, if I hardcode a specific name in the field I get, the name being searched for is returned and displayed. Of-course this isn't a convient way of doing things so I introduced a text box to take in the data, store it in a variable then, this is were my problem lies, I try and used my variable in the SQL statement but it does not work. My code is as below:
static private string GetConnectionString() { return "Driver={Microsoft Access Driver (*.mdb)};" + "Dbq=c:\\Users\\Tichaona\\Documents\\My Dropbox\\SET10101 Software Architecture\\coursework1\\patients.mdb;Uid=java;Pwd=password;"; } private void BtnSearch_Click(object sender, EventArgs e) { String nameSearch = TxtBxName.Text; <<Use a parameter!
-
Change the line
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%nameSearch%';";
into
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%" + nameSearch + "%'";
Use Code block instead of inline code for your code while posting here [Edit]As Piebal's suggestion, Use parameters with command object Click here[^][/Edit]
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-)modified on Thursday, November 25, 2010 9:50 AM
Negative several million! Look up "SQL injection attack". :mad:
-
Thanks it works great... :)
Don't do it that way.
-
Negative several million! Look up "SQL injection attack". :mad:
PIEBALDconsult wrote:
Negative several million! Look up "SQL injection attack".
Yes dude it's true, But he is just expecting just correct the error. Also here before I received a rude comment from Enquirer for the same type of suggestion. Ok Here after I'll add the additional details along with answer. Thanks
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-) -
PIEBALDconsult wrote:
Negative several million! Look up "SQL injection attack".
Yes dude it's true, But he is just expecting just correct the error. Also here before I received a rude comment from Enquirer for the same type of suggestion. Ok Here after I'll add the additional details along with answer. Thanks
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-)Never ever ever etc. suggest concatenation. Not once, not even a little bit.
-
Change the line
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%nameSearch%';";
into
string queryString = "SELECT Name FROM patients WHERE Name LIKE '%" + nameSearch + "%'";
Use Code block instead of inline code for your code while posting here [Edit]As Piebal's suggestion, Use parameters with command object Click here[^][/Edit]
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-)modified on Thursday, November 25, 2010 9:50 AM
According to question, Good Answer. :)
-
Never ever ever etc. suggest concatenation. Not once, not even a little bit.
OK Deal :cool:
thatraja |Chennai|India|
Brainbench certifications
Down-votes are like kid's kisses don't reject it :-)
Do what you want quickly because the Doomsday on 2012 :-)