how to bind the textbox value to sqlCommand?
-
I have a textbox (txtPCID), button (btnSearch), and datagrid (DataGrid). Right now, I want to enter "P0002" in the textbox and click on the search button, I will get all the records which belong to PCID= P0002. Look at that 4th line. I don't know why the value in the textbox cannot pass to the sqlCommand? How to solve it? Sub BindDataGrid() Dim Tpcid As String Tpcid = txtPCID.Text cmdSql = New SqlCommand("Select * From Peripheral WHERE PCID=' & Tpcid & ' ", myConnection) myConnection.Open() DataGrid.DataSource = cmdSql.ExecuteReader() DataGrid.DataBind() myConnection.Close() End Sub
-
I have a textbox (txtPCID), button (btnSearch), and datagrid (DataGrid). Right now, I want to enter "P0002" in the textbox and click on the search button, I will get all the records which belong to PCID= P0002. Look at that 4th line. I don't know why the value in the textbox cannot pass to the sqlCommand? How to solve it? Sub BindDataGrid() Dim Tpcid As String Tpcid = txtPCID.Text cmdSql = New SqlCommand("Select * From Peripheral WHERE PCID=' & Tpcid & ' ", myConnection) myConnection.Open() DataGrid.DataSource = cmdSql.ExecuteReader() DataGrid.DataBind() myConnection.Close() End Sub
-
I have a textbox (txtPCID), button (btnSearch), and datagrid (DataGrid). Right now, I want to enter "P0002" in the textbox and click on the search button, I will get all the records which belong to PCID= P0002. Look at that 4th line. I don't know why the value in the textbox cannot pass to the sqlCommand? How to solve it? Sub BindDataGrid() Dim Tpcid As String Tpcid = txtPCID.Text cmdSql = New SqlCommand("Select * From Peripheral WHERE PCID=' & Tpcid & ' ", myConnection) myConnection.Open() DataGrid.DataSource = cmdSql.ExecuteReader() DataGrid.DataBind() myConnection.Close() End Sub
You should really parameterise your command. What you have here, if it worked, is suseptable to an injection attack.
cmdSql = New SqlCommand("Select * From Peripheral WHERE PCID=@PCID", myConnection)
cmdSql.Parameters.Add("@PCID",SqlDbType.VarChar, 10).Value = TpcidThe above is much safer. (Remember to change the SqlDbType and field length values as appropriate)
"If a man empties his purse into his head, no man can take it away from him, for an investment in knowledge pays the best interest." -- Joseph E. O'Donnell Not getting the response you want from a question asked in an online forum: How to Ask Questions the Smart Way!