How to use Variable in select statement?

[Mehbs]

I created a very simple form.

There are 2 text boxes; 1 for entering account number and other to display
its desription.

I also placed buttom so when it is clicked, select statement underneath grab
the description of that part number and display on the form.

I also created a data set for 2 tables both have account# as common field.

My sql statement is:

lcsql = "select acctnum, description, table2.amount from table1 inner join
table2 on table1.acctnum = table2.acctnum
where table1.acctnum = " & me!textbox1.text

I am trying to find out how to use form's variable in select statement like
textbox1.

I am very new to C# so please bear with me.

 

[Looch]

I created a very simple form.

There are 2 text boxes; 1 for entering account number and other to display
its desription.

I also placed buttom so when it is clicked, select statement underneath grab
the description of that part number and display on the form.

I also created a data set for 2 tables both have account# as common field.

My sql statement is:

lcsql = "select acctnum, description, table2.amount from table1 inner join
table2 on table1.acctnum = table2.acctnum
where table1.acctnum = " & me!textbox1.text

I am trying to find out how to use form's variable in select statement like
textbox1.

I am very new to C# so please bear with me.

Try setting the text in the text box as a variable:

public getInfo
{
string text = textbox1.text;

//OR

int text = Convert.ToInt32(textbox1.text); //for an integer value

string lcsql = "select acctnum, description, table2.amount from
table1 inner join
table2 on table1.acctnum = table2.acctnum
where table1.acctnum = '" + text + "'"";
}

There is a single quote followed by a double quote in front of text in
the SQL statement and a double-single-double after. If using the
integer variable then you will only need a double quote in front and
two double quotes at the end (providing you are using MSSQL)

HTH

 

[Smithers]

While others may show you how to do what you ask, you should additionally be
aware that what you are doing is very dangerous. This link will help to
explain why:

http://msdn2.microsoft.com/en-us/library/ms161953.aspx

Google "Sql Injection" or "Sql Injection Attack" for more.

-HTH

-S

 

[Looch]

Absolutely. The use of parameters is defintately the way to go, albeit
a little confusing for someone just looking for the syntax mentioned
above.

 

[Smithers]

Are you suggesting that the OP should have not been made aware of this
important security risk simply because it might confuse the OP?

If not, what is your reason for bringing up the possibility that someone
might be confused by something?

"[the use of parameters is] a little confusing" is a subjective conclusion.
Just because you are confused by them doesn't mean anybody else in the world
would be.

It is irresponsible to suggest to an admitted "new to C#" person that
something they should do is confusing.

-S

 

[Looch]

Right, actually my statement was,

The use of parameters is defintately the way to go, albeit
a little confusing for someone just looking for the syntax mentioned
above.

The last eight words qualifying the word 'confusing', and not after
implying that everyone is as dumb as myself.

I don't think he's giving public access to his application, I think
he's in the initial stages of learning the language. Best practices
and security come after syntax, in my opinion.

 

[Mehbs]

Thank you guys for your input.

BTW, would please suggest the best book that I can buy and follow the
instruction. Book with some example would help.

Thanks again.

 

[Smithers]

Querying a database from an application covers a lot of topic areas. There
is not one book I am aware of that addresses everything you would need to
know. Maybe someone else will provide such.

While not partaining exactly to your OP here...
For an excellent introductoin to SQL, have a look at "SQL Queries for Mere
Mortals" by Hernandez
He also has a good book on database design, "Database Design for Mere
Mortals" by Hernandez and Viescas.

For client-side stuff, check out Programming Microsoft ADO.NET 2.0 by David
Sceppa.

-HTH

 

[Smithers]

Querying a database from an application covers a lot of topic areas. There
is not one book I am aware of that addresses everything you would need to
know. Maybe someone else will provide such.

While not partaining exactly to your OP here...
For an excellent introductoin to SQL, have a look at "SQL Queries for Mere
Mortals" by Hernandez
He also has a good book on database design, "Database Design for Mere
Mortals" by Hernandez and Viescas.

For client-side stuff, check out Programming Microsoft ADO.NET 2.0 by David
Sceppa.

-HTH