Click here to Skip to main content
15,888,351 members
Search within:


I am not getting any results while filtering database using datetimepicker, combobox, textbox.
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
ADO.NET
Hi,

While i am using below code i am not getting any result.

I have,

Combobox - 1
Textbox - 1
Datetimepicker - 2

i have filter database using Comboboxselecteditem,textbox1.text and datetimepicker1 and datetimepicker2.

can anyone suggest me?

What I have tried:

Here is my code,
C#
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.OleDb;
using System.Configuration;
using System.Data.SqlClient;

OleDbConnection con2 = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=F:\Consoldetails.accdb");
private void button4_Click(object sender, EventArgs e)
{
   OleDbCommand command = new OleDbCommand();
   command.Connection = con2;
   string query = "select * from Finaldetails where (" + this.comboBox1.SelectedItem + ")  LIKE ('" + this.textBox1.Text + "') and  Date between '" + this.dateTimePicker1.Text + "' and '" + this.dateTimePicker2.Text + "' and Status = 'Approved'";

   command.CommandText = query;
   OleDbDataAdapter da = new OleDbDataAdapter(command);
   DataTable dt = new DataTable();
   da.Fill(dt);
   dataGridView1.DataSource = dt;
   con2.Close();
}
Posted
Updated 4-Apr-18 9:59am
v3
Add a Solution

2 solutions

The main problem is that you're concatenating the data from UI objects directly to your SQL statement. This introduces conversion problems and leaves you open to SQL injections.

The correct way to do this is to use OleDbParameter Class (System.Data.OleDb)[^]

So the code should look something like
OleDbConnection con2 = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=F:\Consoldetails.accdb");
private void button4_Click(object sender, EventArgs e)
{
   OleDbCommand command = new OleDbCommand();
   command.Connection = con2;
   string query = "select * from Finaldetails where (" + this.comboBox1.SelectedItem + ") LIKE (?) and Date between ? and ? and Status = 'Approved'";
   command.CommandText = query;
   command.Parameters.Add("@v1", OleDbType.VarChar, 100).Value = this.textBox1.Text;
   command.Parameters.Add("@v2", OleDbType.Date).Value = this.dateTimePicker1.Text;
   command.Parameters.Add("@v3", OleDbType.Date).Value = this.dateTimePicker2.Text;
   OleDbDataAdapter da = new OleDbDataAdapter(command);
   DataTable dt = new DataTable();
   da.Fill(dt);
   dataGridView1.DataSource = dt;
   con2.Close();
}

I do not know the actual data types so you have to adjust to code based on the requirements. Also I don't have a compiler at hand so sorry about any typos.

For more examples, have a look at Properly executing database operations[^]. Even though the example uses SqlParameters, the idea is the same
 
Share this answer
 
Posted
Updated 4-Apr-18 9:14am
v3
Comments
Prateek gsharma 4-Apr-18 15:16pm    
i didnot get you sir?
Wendelius 4-Apr-18 15:21pm    
At the moment you concatenate the values to the query. This most likely prevents the conversion from text to date happen correctly. For example if your local date setting is dd/mm/yyyy but the database expects mm/dd/yyyy then the data is not converted correctly.

To avoid such problems along with SQL injection one should always use parameters when providing values from user interface to the query. This is what the OleDbParameter is for.
Prateek gsharma 5-Apr-18 0:17am    
thank you sir.i will try this now
Prateek gsharma 5-Apr-18 12:22pm    
given code also not working sir.
Wendelius 5-Apr-18 13:04pm    
Could you be more specific: Do you get errors, is it fetching wrong data, or something else?
Make sure date format match dateTimePicker1 and dateTimePicker2 format. To compare dates in text, you must use yyyymmdd format.

C#
string query = "select * from Finaldetails where (" + this.comboBox1.SelectedItem + ")  LIKE ('" + this.textBox1.Text + "') and  Date between '" + this.dateTimePicker1.Text + "' and '" + this.dateTimePicker2.Text + "' and Status = 'Approved'";


Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
 
Share this answer
 
Posted
Comments
Prateek gsharma 5-Apr-18 0:18am    
thank you very much sir.i will use yyyymmdd format for datetimepickere
Prateek gsharma 5-Apr-18 15:01pm    
i am not getting results sir.can you plz give me another example with code.if possible?
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 4 Apr 2018
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900