Click here to Skip to main content
15,893,487 members
Search within:


Why not work in SQL
Please Sign up or sign in to vote.
1.00/5 (5 votes)
See more:
C#
SQL
string sql2 = "select [A],[number of dups] from [Repeat of dest] where [A] like '" + textBox4.Text + "' ";
using (System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(sql1, conn2))
{
conn2.Open();

System.Data.SqlClient.SqlDataReader reader = null;

reader = cmd.ExecuteReader();
while (reader.Read())
{
textBox4.Text = (reader["A"]).ToString();
}}

What I have tried:

why not work command sql??
please help me?
Posted
Updated 18-Apr-17 14:28pm
Add a Solution
Comments
[no name] 16-Apr-17 12:53pm    
Could be any number of things. But the most likely reason is that you are defining some awful SQL as sql2 but using some string called sql1 in your command object.
Dave Kreskowiak 16-Apr-17 12:58pm    
Not enough information. We have no idea what you mean by "not working". We have no idea what you expect this code to do and what the data in the table looks like.
RedDk 16-Apr-17 14:33pm    
Nice repost. And perfectly legal (the judge is IN the courtroom this time). But NPC is most likely correct, the error is a piddling misspelling of some sort.
pt1401 16-Apr-17 14:42pm    
You need to try harder to help people to help you.

You don't give enough information - for a starter, what error are you getting?
Here's a possibility:-
Your sql string 'sql2' isn't used - your command uses sql1, which you give no details of.

As a side issue, it's not a good idea to build sql with string concatenation.
Do some googling on sql injection and sql parameters.
[no name] 16-Apr-17 22:25pm    
I can see you defined "sql2" but you assigned "sql1" to your command object? Is that correct SQL script you are pointing here?

2 solutions

Firstly, because you are doing it wrong: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

Secondly, because you are using the wrong sql string: you declare sql2 and use sql1 in your command...
Finally, because LIKE requires SQL wildcards in order to find a "similar" match. In this case, you probably want "%" at the start and end of your clause:
C#
string sql2 = "SELECT [A],[number of dups] FROM [Repeat of dest] WHERE [A] LIKE '%' + @STR + '%'";
using (System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(sql2, conn2))
    {
    conn2.Open();
    cmd.Parameters.AddWithValue("@STR",  textBox4.Text);
    ...


And ask yourself a question: Is there any point in you asking questions if you are just going to ignore the advice you are given? This is not the first time I've told you about SQL Inject and parameterized queries, or about a similar problem - but you clearly aren't listening or thinking about what you have been told. Please start doing both...
 
Share this answer
 
Posted
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 18 Apr 2017
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900