To display all the emp names based on partial name given

Question

1.00/5 (1 vote)

See more:

Hi all,
May anyone please tell me the procedure about how to get all the names from database based on partial name given in a textbox.i am using winform(c#) and search criteria is based on ID and name.But i am not able to understand how to apply AutoSuggest method to already existing winform(textbox).May anyone please describe the steps and help me out.
My query is (select * from table_name where S_ID = '" + txtSearch.Text + "' OR Fellow_name = '" + txtSearch1.Text + "'")

Posted 2-Jul-15 18:03pm

Member 11793580

Add a Solution

Comments

Sergey Alexandrovich Kryukov 3-Jul-15 0:24am

What have you tried so far? (Except this vulnerable query.)
—SA

Member 11793580 3-Jul-15 0:51am

I have tried everything i.e., REGEXP,wild cards, Autosuggest etc but everything in vain. I have used parameters in my code.my only worry is that am not able to display names in autosuggest textbox when i run my application

Sergey Alexandrovich Kryukov 3-Jul-15 0:57am

Perhaps this is not what you have to inform us on. I mean really tried. You really need to read the article I referenced above.
And "tried" should not be understood in that sense of the word, as trial-and-error...
—SA

Abhipal Singh 3-Jul-15 0:25am

The question is already answered here:
http://www.codeproject.com/Questions/1005189/How-Do-I-Display-All-Names-Of-Employees-By-Providi

Replace the query with the below:
"select * from table_name where S_ID = '" + txtSearch.Text + "' OR Fellow_name like '%" + txtSearch1.Text + "%'"

Member 11793580 3-Jul-15 0:52am

This query is not working

Sergey Alexandrovich Kryukov 3-Jul-15 0:55am

Did you read my Solution 1? You are doing the same kind of abuse.
—SA

Member 11793580 3-Jul-15 1:03am

ya i did. I have used parameters for insert, update and delete in my code. where am i going wrong

Sergey Alexandrovich Kryukov 3-Jul-15 1:20am

And where is you right implementation? Start with using parametrized query.
—SA

Abhipal Singh 3-Jul-15 1:29am

In my solution I suggested to use parameters to avoid SQL Injection. However, I just gave the easy fix to make him understand where he was failing as far as the SQL query was concerned. :)

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2015-07-02T18:24:00

Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA