Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Languages / C# / June 2007

Tip: Looking for answers? Try searching our database.

How to pass textBox.Text to Sql query

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Tim Sprout - 25 Jun 2007 03:36 GMT
I want button1_Click on Form1 to send a query using the textBox1.Text string
as part of the query. I want to populate a dataGridView from an Access
database file. I am trying to build a search box with the textBox1. How do I
pass the textBox1.Text string to the query? The query string below gives me
one blank row:

string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE
'textBox1.Text')";

-Tim Sprout
Reply to this Message
Alberto Poblacion - 25 Jun 2007 07:10 GMT
>I want button1_Click on Form1 to send a query using the textBox1.Text
>string
[quoted text clipped - 7 lines]
> string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE
> 'textBox1.Text')";

  The easiest -and not recommended- way to do it is to concatenate the text
to the query:

string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE '" +
textBox1.Text + "')";

  This would work, BUT it has the risk of suffering what is known as a "Sql
Injection attack": If a user enters in the textbox something that looks like
Sql, it would be executed at your server. It also has other problems, for
instance, if the Text were "O'Donell", the code would crash with a syntax
error due to the single quote.

   The recommended way to pass the text is to parameterize the Sql Query:

string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE ?)";
OleDbCommand cmd = new OleDbCommand(strOleDb, connection);
cmd.Parameters.AddWithValue("FirstParam", textBox1.Text);
Reply to this Message
Tim Sprout - 28 Jun 2007 15:11 GMT
> "Alberto Poblacion" wrote;
>
[quoted text clipped - 3 lines]
> OleDbCommand cmd = new OleDbCommand(strOleDb, connection);
> cmd.Parameters.AddWithValue("FirstParam", textBox1.Text);

Thank you!

-Tim Sprout
Reply to this Message
AlexS - 28 Jun 2007 16:56 GMT
Won't it accept Text = "'some'; drop table ProjectTable;"?

>> "Alberto Poblacion" wrote;
>>
[quoted text clipped - 9 lines]
>
> -Tim Sprout
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.