Select Statement

[Guest]

I am using the following select statement in a web app where I take the cvalue in a text box and conduct a search of the database.

"Select wo18 from workorder where wo9 = " + "'" + programText.Text + "'";

I want to search the text box to see if it contains % and if it does I want to use like in the select statement above instead of =.

It should look something like this:

if (programText.Text contains '%')
{
"Select wo18 from workorder where wo9 = " + "'" + programText.Text + "'";
}

else
{
"Select wo18 from workorder where wo9 = " + "'" + programText.Text + "'";
}

How do I need to alter this code?

Thanks,

Dave

 

[Nicholas Paldino [.NET/C# MVP]]

Dave,

I think that what you are doing is very, very dangerous. Your code is
WIDE open for a sql injection attack, and that is bad. If anything
parameterize your queries. What you want to do is this:

// The sql.
string pstrSql = "select wo18 from workorder where wo9 "

// If the text contains a %, then use like.
if (programText.Text.IndexOf('%') >= 0)
// Set the command string to use like.
pstrSql = pstrSql + "like";
else
// Use =/
pstrSql = pstrSql + "=";

// Add the rest.
pstrSql = pstrSql + " @programText";

Then, you set the CommandText property of your Command (SqlCommand,
OleDbCommand, etc, etc) to that string. You then add a parameter and set
the Value property of that parameter to the program text.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I am using the following select statement in a web app where I take the

cvalue in a text box and conduct a search of the database.

"Select wo18 from workorder where wo9 = " + "'" + programText.Text + "'";

I want to search the text box to see if it contains % and if it does I

want to use like in the select statement above instead of =.

 

[Jon Skeet [C# MVP]]

I am using the following select statement in a web app where I take
the cvalue in a text box and conduct a search of the database.

"Select wo18 from workorder where wo9 = " + "'" + programText.Text +
"'";

That sounds like a bad idea to me. You should use parameters for values
in queries - otherwise you could easily end up doing entirely different
things. For instance, in some databases, people could type in:

'; truncate workorder; select wo18 from workorder where wo9='

and end up deleting all the data from a table. Not pleasant. That's a
particularly nasty example, of course, but there are less horrendous
things that could still be undesirable.

I want to search the text box to see if it contains % and if it does
I want to use like in the select statement above instead of =.

It should look something like this:

if (programText.Text contains '%')
{
"Select wo18 from workorder where wo9 = " + "'" + programText.Text +
"'";
}

else
{
"Select wo18 from workorder where wo9 = " + "'" + programText.Text +
"'";
}

I assume the first version should have had a 'like' in it?

How do I need to alter this code?

Use

if (programText.Text.IndexOf ('%') != -1) to find out if the string
contains '%' or not.

Of course, your code doesn't have the actual query part in yet...

 

[William Ryan eMVP]

http://www.knowdotnet.com/articles/dynamisql.html

--

W.G. Ryan, eMVP

http://forums.devbuzz.com/
http://www.knowdotnet.com/williamryan.html
http://www.msmvps.com/WilliamRyan/

I am using the following select statement in a web app where I take the

cvalue in a text box and conduct a search of the database.

"Select wo18 from workorder where wo9 = " + "'" + programText.Text + "'";

I want to search the text box to see if it contains % and if it does I

want to use like in the select statement above instead of =.