Click here to Skip to main content
12,297,215 members (65,667 online)
Rate this:
 
Please Sign up or sign in to vote.
See more: .NET3.0 C# .NET WebForms
Hi i want to search a name from database using c# But its giving error "Unknown column string". But for integer number this is working.
try
                {
                    con = new MySqlConnection();
                    con.ConnectionString = ConfigurationSettings.AppSettings["constr"];
                    con.Open();
                    string str = "select pfno,name,desig,oldtno,newtno from empreg where name like " + textBox1.Text;
                    da = new MySqlDataAdapter(str, con);
                    ds = new DataSet();
                    da.Fill(ds, "empreg");
                    dataGridView1.DataSource = ds.Tables[1];
                }
                catch (Exception ex)
                {
                    MessageBox.Show(ex.Message);
                }
                finally
                {
                    con.Close();
                }
Posted 6-Aug-12 11:25am
Edited 6-Aug-12 11:27am
v2
Comments
Wes Aday 6-Aug-12 17:28pm
   
string str = "select pfno,name,desig,oldtno,newtno from empreg where name like '%" + textBox1.Text + "%'"; We will discuss SQL injection attacks another time.
Kenneth Haugland 6-Aug-12 17:29pm
   
So whats the value in the Textox then? And does you query work if you hard code it ?
Wes Aday 6-Aug-12 17:32pm
   
You need single quotes around strings. Integers you do not.
GuruOnu 6-Aug-12 17:37pm
   
thanks Wes lov u:)
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

Here is the answer of what Wes wanted to learn you:
SQL Injection Attacks and Some Tips on How to Prevent Them[^]
  Permalink  
Comments
GuruOnu 6-Aug-12 17:39pm
   
Thanks
   
My 5. I added my variant of explaining this thing, please see.
--SA
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 3

One more useful article on SQL injection:
http://en.wikipedia.org/wiki/SQL_injection[^].

You really need to get rid of building a query string by concatenation with some data taken from the UI. In a nutshell the idea of the exploit if very simple: anything can be placed in textBox1.Text. Even a fragment of SQL code. Parametrized statements solve this problem.

—SA
  Permalink  
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

"select * from empreg where pfno LIKE '%"+textBox1.Text+"%'";
  Permalink  
Comments
   
No, no, this is subject to SQL Injection. Never do such things.
--SA
GuruOnu 7-Aug-12 2:48am
   
ok as you say sir.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Mobile
Web02 | 2.8.160525.2 | Last Updated 6 Aug 2012
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100