Click here to Skip to main content
15,891,940 members
Search within:


Command Text, Textbox
Please Sign up or sign in to vote.
1.00/5 (3 votes)
See more:
C#
SQL
Is this code correct?
C#
SqlCommand cmd = new SqlCommand();

cmd.Connection = cn;
cmd.CommandType=CommandType.Text
cmd.CommandText= "SELECT * FROM Orders2 WHERE Monthname = '" + textBox1.Text.ToString() + "' AND '" + textBox2.Text.ToString() + "'"


Thanks in Advance
Posted
Updated 11-Dec-10 1:49am
v4
Add a Solution
Comments
Khaniya 11-Dec-10 5:32am    
It looks ok
but what is your problem ?
where are you getting error ??
Abdul Quader Mamun 11-Dec-10 6:10am    
Use pre tag.
Toli Cuturicu 11-Dec-10 7:41am    
TextBox.Text is already a string. It is absurd to call ToString() on a string! It returns the same string!
Toli Cuturicu 11-Dec-10 7:42am    
SQL injection attacks are just waiting to happen! NEVER concatenate SQL queries with user input!
Toli Cuturicu 11-Dec-10 7:49am    
And don't repost! NEVER! Edit your original questin instead!

3 solutions

C#
cmd.CommandText= "SELECT * FROM Orders2 WHERE Monthname = '" + textBox1.Text + "' AND Monthname = '" + textBox2.Text + "'";
 
Share this answer
 
Posted
Updated 11-Dec-10 1:48am
v4
Comments
Toli Cuturicu 11-Dec-10 7:47am    
What about sql injection?
Never heard of parametrized queries or stored procedures?
fjdiewornncalwe 12-Dec-10 10:12am    
Abdul: Please read the other answers first before you post an answer identical to someone else's. Just add a comment to the correct answer showing your agreement.
Abdul Quader Mamun 12-Dec-10 23:53pm    
@Marcus: Question was not clear. And we are not taking Exam. Just help to you from our valuable time. Like programmers who are unable to do this.
fjdiewornncalwe 13-Dec-10 14:23pm    
It was perfectly clear. You gave a clear answer. It takes less time to read the existing answers and provide a comment then it does to create your own answer. Unless of course, you're just rep point mining.
No it's not correct
C#
/*...*/"WHERE Monthname = '" + textBox1.Text.ToString() + "' AND '" + textBox2.Text.ToString() + "'"

:confused:

That will be the correct command when you are using AND operator:
C#
cmd.CommandText = "SELECT * FROM Orders2 WHERE Monthname = '" + textBox1.Text + "' AND  Monthname ='" + textBox2.Text + "'";

:)
 
Share this answer
 
Posted
Updated 11-Dec-10 1:46am
v5
Comments
Toli Cuturicu 11-Dec-10 7:47am    
What about sql injection?
Never heard of parametrized queries or stored procedures?
ShilpaKumari 12-Dec-10 7:07am    
Good Answer..
As far as I know, this looks ok.
 
Share this answer
 
Posted
Comments
wolfsor 11-Dec-10 4:39am    
I'm sorry... i have just updated the question

SqlCommand cmd = new SqlCommand();

cmd.Connection = cn;
cmd.CommandType=CommandType.Text
cmd.CommandText= "SELECT * FROM Orders2 WHERE Monthname = '" + textBox1.Text.ToString() + "' AND '" + textBox2.Text.ToString() + "'"
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to save text with quotes from textbox to access database
How to encode input text in textbox ?
Gridviews, select command + textbox
command name & command argument
WPF,MVVM : LostFocus Property for a textbox which should raise a command in ViewModel
Select text inside textbox, ctrl+c and send to clipboard
Correct code to change ASP:textbox text with javascript
text in a textbox
send and receive command from serial port to textbox in c#
Convert a Textbox to HTML

Advertise
Privacy
Cookies
Terms of Use
Last Updated 11 Dec 2010
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900