tags:

views:

101

answers:

3
+1  Q: 

Can anybody help me for the syntax of select query?

i`m doing 

string sql = "select * from publisher where title like "'"+tbproperty.text+";

but it`s not working!

regards..

A: 

Correction..

string sql = "select * from publisher where title like '" + tbproperty.text + "'";
this. __curious_geek  2010-05-10 05:09:57
hey listen.. i have my function in my class but the tbproperty does not show in my class.. ?? how do i do it ??
Azka  2010-05-10 05:11:26
Please put your code here, so that we can analyze and check.
this. __curious_geek  2010-05-10 05:12:20
@Azka - only you know where `tbproperty` exists; if you are doing your data access separate to the UI (which you should) then you'll have to pass the desired title in as a parameter to your method.
Marc Gravell  2010-05-10 05:13:54
i have my search publisher function in my class publisher and it is :public int searchpublisher(){SqlCommand cmd = new SqlCommand("select * from publisher where title like @title");cmd.Parameters.AddWithValue("@title", but here in the object value, the tbproperty does not exist in the intellisence.. }
Azka  2010-05-10 05:19:33
You can modify the metod in your Publisher class as follows:public int searchpublisher(string title) { SqlCommand cmd = new SqlCommand("select * from publisher where title like @title");cmd.Parameters.AddWithValue("@title", title);}Then call that method from the appropriate place in the UI (i.e. where you have access to the textbox) and call it like this:int publisher = searchpublisher(tbproperty.Text);
Anton  2010-05-10 05:31:35
it aint working :( ..
Azka  2010-05-10 05:40:35
+9  A: 

Use SqlParameter:

SqlCommand cmd = new SqlCommand("select * from publisher where title like @title");
cmd.Parameters.AddWithValue("@title", tbProperty.Text);

If you need to add more to the parameter, then do the following (E.g.: output parameter):

SqlParameter param = new SqlParameter("@param ", SqlDbType.NVarChar, 250) { Direction = ParameterDirection.Output };
cmd.Parameters.Add(param);

This means you don't need to build the string per se and stops SQL injection.

Kyle Rozendo  2010-05-10 05:10:51
+1 wish I could +10000 your answer!! Always always always (and no exceptions) use parametrized queries.
marc_s  2010-05-10 05:12:19
+4  A: 

With LIKE, if you expect begin/ends matches you need some wildcards such as '%', and I'm assuming that the user isn't adding those; but - important: don't concatenate user input. Ever; you want something like:

sql = "select * from publisher where title like @arg";

With @arg defined as a parameter, with value something like:

cmd.Parameters.AddWithValue("@arg", "%" + tbproperty.text + "%");
Marc Gravell  2010-05-10 05:11:17

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?