Click here to Skip to main content
15,867,308 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
string commandText = "SELECT Email " +"FROM dbo.Users WHERE Name LIKE '%'+ @Name + '%'";

        using (SqlConnection connection = new SqlConnection(""))
        {
            //Create a SqlCommand instance
            SqlCommand command = new SqlCommand(commandText, connection);
            //Add the parameter
            command.Parameters.Add("@Name", SqlDbType.VarChar, 20).Value = DropDownList2.SelectedValue;

        }


What I have tried:

I tried several solutions but the most probable seems to be the one below but it does not work my program considers the string (txttomail) as a string

I would like please to see to recover the result of the request to be able to use it elsewhere
Posted
Updated 23-Nov-22 8:33am
v4
Comments
PIEBALDconsult 23-Nov-22 11:37am    
Please use a parameterized statement. And you'll need a lot more code than that.
Kuepo David giress 23-Nov-22 12:09pm    
here is my query below with parameters, please take a look at it
Richard MacCutchan 23-Nov-22 12:03pm    
"my program considers the string (txttomail) as a string"
That's because it is a string, as you have defined it.
Kuepo David giress 23-Nov-22 12:11pm    
how to define it as a query please , i am beginner on c# i try solutions since that does not work
Richard MacCutchan 23-Nov-22 12:22pm    
Your question does not make sense. If you want to learn how to use SQL then find a good tutorial and learn from that. Here is one such SQL Tutorial[^].

1 solution

OK, first, a query for a username should NEVER use LIKE. You want to return a single record, not a bunch of candidates, so LIKE has to be replaced with =.

Next, the parameter object will format the parameter for you so you don't need to add the single quote characters.

And why on earth are you listing usenames in a dropdown? That's giving away information to potential attackers. NEVER DO THAT! Use a textbox to get the user to enter their username, and even then NEVER directly pass the content of a textbox to a SQL query. It must be checked for having a valid value before being passed to the query.
C#
string commandText = "SELECT Email FROM dbo.Users WHERE Name = @Name";

using (SqlConnection connection = new SqlConnection("nameOfConnectionString"))
{
    //Create a SqlCommand instance
    SqlCommand command = new SqlCommand(commandText, connection);
    //Add the parameter
    // It is bad practice to directly use unvalidated user input!
    command.Parameters.Add("@Name", SqlDbType.VarChar, 20).Value = UserNameTextBox.Text;
}
 
Share this answer
 
v2
Comments
Kuepo David giress 24-Nov-22 2:58am    
s'il vous plaît quand je lance votre solution, mon navigateur me donne une erreur car il considère
<font style="vertical-align: inherit;"><font style="vertical-align: inherit;">string commandText = "SELECT Email FROM dbo.Users WHERE Name = @Name" ;</font></font>
comme un string and not as a request
Dave Kreskowiak 24-Nov-22 11:05am    
Yes! That is a string! You cannot just set a variable with the content of an SQL query and expect that to just automatically work and execute against a server!

If you copied and pasted my sample code into your app without any modification at all, of course it's not going to work! You have to modify the sample to work with the rest of your code. There's nothing in my sample that actually executes anything because there's so many ways to do it, and that depends on the rest of your data access code and how you represent the data coming back from the query.

There's a SqlDataAdapter to fill DataSet and DataTable objects. There's SqlCommand.ExecuteScalar, .ExecuteReader, .ExecuteNonQuery, ...
Kuepo David giress 25-Nov-22 2:09am    
thank for your help i want to do it

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900