string query = "SELECT * FROM [TRANSACTION] WHERE ([DT1] BETWEEN #" + fromdate + "# AND #" + todate + "#) OR ([DT2] BETWEEN #" + fromdate + "# AND #" + todate + "#)";
Such of query is
SqlInjection[
^] vulnerable!
Rather than it, use parameterized query:
string query = "SELECT * FROM [TRANSACTION] WHERE (([DT1] BETWEEN ? AND ?) OR ([DT2] BETWEEN ? AND ?));";
Usage:
string sConn = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=YourDatabase.accdb;Persist Security Info =False;";
DataTable dt = new DataTable();
DateTime fromdate = DateTimePickerDateFrom.Value;
DateTime todate = DateTimePickerDateTo.Value;
string sComm = "SELECT * FROM [TRANSACTION] WHERE (([DT1] BETWEEN ? AND ?) OR ([DT2] BETWEEN ? AND ?));";
using (OleDbConnection oConn = new OleDbConnection(sConn))
{
oConn.Open();
using (OleDbCommand oComm = new OleDbCommand(sComm, oConn))
{
oComm.Parameters.Add(new OleDbParameter(){Value=fromdate, OleDbType = OleDbType.DBTimeStamp ;});
oComm.Parameters.Add(new OleDbParameter(){Value=todate, OleDbType = OleDbType.DBTimeStamp ;});
oComm.Parameters.Add(new OleDbParameter(){Value=fromdate, OleDbType = OleDbType.DBTimeStamp ;});
oComm.Parameters.Add(new OleDbParameter(){Value=todate, OleDbType = OleDbType.DBTimeStamp ;}); using (OleDbDataReader oRdr = oComm.ExecuteReader())
{
dt.Load(oRdr);
}
}
}
if(dt.Rows.Count==0)
else
Note: OleDb provider for MS Access database engine does not support named parameters! So, you have to add as many parameters as many is used in a query. The order of adding parameters to the SqlParametersCollection is very important!
Submit an article or tip