Start by fixing the
SQL Injection[
^] vulnerability in your code.
You'll also want to wrap the connection, command, and data reader objects in
Using
blocks, to ensure that they're always cleaned up properly.
Since you're only displaying the results for a single record, you don't need a loop to read the record.
Using con As New SqlConnection("...")
Using cmd As New SqlCommand("SELECT EmpID, Fname, Oname, Lname, Date_hired, Branch, Department, Grade, Pictures FROM Staff_Information WHERE EmpID = @EmpID", con)
cmd.Parameters.AddWithValue("@EmpID", txtempID.Text)
con.Open()
Using sdr As SqlDataReader = cmd.ExecuteReader()
If sdr.Read() Then
txtempID.ReadOnly = True
txtfname.Text = Convert.ToString(sdr.Item("Fname"))
txtothername.Text = Convert.ToString(sdr.Item("Oname"))
txtlname.Text = Convert.ToString(sdr.Item("Lname"))
dtpempl.Value = Convert.ToDateTime(sdr.Item("Date_hired"))
txtbranch.Text = Convert.ToString(sdr.Item("Branch"))
txtdepartment.Text = Convert.ToString(sdr.Item("Department"))
txtgrade.Text = Convert.ToString(sdr.Item("Grade"))
Dim pictureIndex As Integer = sdr.GetOrdinal("Pictures")
If sdr.IsDBNull(pictureIndex) Then
PictureBox.Image = Nothing
Else
Dim data As Byte() = DirectCast(sdr(pictureIndex), Byte())
Dim ms As New MemoryStream(data)
PictureBox.Image = Image.FromStream(ms)
End If
Else
MsgBox("Staff ID: " & txtempID.Text & " " & "not found.")
txtempID.Clear()
txtempID.ReadOnly = False
End If
End Using
End Using
End Using
btnsearch.Enabled = False
btnclear.Enabled = True
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]