C# search using combobox and textbox

Question

0.00/5 (No votes)

See more:

having problem with my query.
i want to search record filter by column name from table and the value..

for example..

retrieve record where column name is equal to combobox and value equal to textbox

still newbie.. TIA

What I have tried:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;

using System.Data.SqlClient;
using System.Diagnostics;
using System.IO;

namespace testcsharp
{
    public partial class frmt3 : Form
    {
        public frmt3()
        {
            InitializeComponent();
        }

        connection cs = new connection();

        void columnitems(ComboBox cbo)
        {
            cbo.Items.Add("custid");
            cbo.Items.Add("name");
            cbo.Items.Add("gender");
            cbo.Items.Add("addr");
        }
        private void button1_Click(object sender, EventArgs e)
        {
            try
            {
                SqlConnection con = new SqlConnection(cs.getConnectionString());
                con.Open();
                string query = "select * from tblcustomer where column=@1 and value=@2";
                SqlCommand cmd = new SqlCommand(query, con);
                cmd.Parameters.AddWithValue("@1", txttblcolumn.Text);
                cmd.Parameters.AddWithValue("@2", txtvalue.Text);

                SqlDataReader dr = cmd.ExecuteReader();
                DataTable dt = new DataTable();

                if (dr.HasRows)
                {
                    dt = new DataTable();
                    dt.Load(dr);
                    dataGridView1.DataSource = dt;
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.ToString());
            }
        }

        private void frmt3_Load(object sender, EventArgs e)
        {
            columnitems(txttblcolumn);
        }
    }
}

Posted 30-Nov-17 0:50am

akosisugar

Updated 30-Nov-17 1:30am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2017-11-30T01:30:00

Solution 1

At a guess, you need something like this:

string query = "select * from tblcustomer where " + myValueFromTheComboBox + "= @2";
SqlCommand cmd = new SqlCommand(query, con);
cmd.Parameters.AddWithValue("@2", txtvalue.Text);

You can't pass column names to SQL via a parameter, they are resolved before parameter substiution is performed.

But don't do this from a textbox as you code shows - that is very dangerous, as it leave you open to SQL Injection. A Combobox is relatively safe if you control exactly the content (but I'd probably still want to verify the content before concatenating it into the command string).

Posted 30-Nov-17 1:30am

OriginalGriff

Comments

akosisugar 30-Nov-17 8:04am

sir.. sorry its working... but why i cant parameterize my value in combobox.. it is almost the same from textbox.. can u please explain..

OriginalGriff 30-Nov-17 8:41am

Because SQL parses the query in several stages: and one of the early stages identifies the tables, functions, procedures, and columns that the query will deal with. Parameter substitution is done as one of the last operations before the query is actually executed - and by that time the columns are already fixed in stone.
You can't parameterize a table name, a column name, or a function in SQL at all (except by building a string as part of your original query and using EXEC to execute it - which has the same SQL Injection problems as concatenating your original data, so that doesn't help).

akosisugar 30-Nov-17 8:47am

uhhhhhh!. okay.. tnk u again sir..

OriginalGriff 30-Nov-17 8:53am

You're welcome!