tags:

views:

82

answers:

4

ok thanks alot for all who help me ,but now i have another problem i want to get this statement correct also

if (byNametextBox.Text != null && byBuildingtextBox.Text !=null && seTextBoxPublic1.Text == null)
{
    da = new SqlDataAdapter("SELECT * FROM Students WHERE name='" +     byNametextBox.Text +"and [buil-id]='"+byBuildingtextBox.Text+ "'", MyConn);

}

i want to select from the same table with two condition please

+1  A: 

Better for security if you use parameters in your SQL query.

MicTech
+1  A: 

I suppose you should create an SqlCommand with 2 parameters. The code you posted here is not safe for SQL Injection attacks.

Please follow:

http://msdn.microsoft.com/en-us/library/ms161953.aspx

Bogdan_Ch
+1  A: 

To answer your question, however, your code creates the SQL:

SELECT * FROM Students WHERE name='NAMEand [buil-id]='ID'

should be

SELECT * FROM Students WHERE name='NAME' and [buil-id]='ID'
Kobi
+2  A: 

Please use parameters! If for some reason you're against them, this should work:

string strStatement = String.Format("SELECT * FROM Students WHERE [name] = '{0}' AND [buil-id] = '{1}'", byNametextBox.Text, byBuildingtextBox.Text);
da = new SqlDataAdapter(strStatement, MyConn);
Barry Gallagher
thanks for you too much
This isn't parameters. You're still creating a string, it's almost the same.
Kobi
Yes Kobi, but like I said if for some reason he's AGAINST using parameters, the code I posted WILL work (his source code was formatted incorrectly and would not).
Barry Gallagher
Well, yes. Defiantly, this is a cleaner syntax for that.
Kobi
Parameters are must but this does the trick he wanted.
blntechie