Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET
i want to match first name nad last name of person to textbox value...
i got this code for this use array means first split that code and then match in select query but now i want to check in textbox only first name then differnt query and firstname &lastname then differnt query so how can i identify one word or two word in textbox????
plz help me..
 

my code is:-
 
String Name = txtname.Text;
        String[] Spilted = Name.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
        String firstname = Spilted[0];
        String lastname = Spilted[1];
 

        SqlCommand cmd = new SqlCommand("Select PROFILE_ID,FIRST_NAME,PROFILE_REQUEST_STATUS from DSProfile.HDR_PROFILE  where FIRST_NAME='" + firstname + "' and LAST_NAME='" + lastname + "'  and PROFILE_REQUEST_STATUS='" + false + "'", con);
       // SqlCommand cmd = new SqlCommand("Select p.PROFILE_ID,g.FRIEND_ID,p.FIRST_NAME,g.ACCEPT_STATUS from DSProfile.HDR_PROFILE p,DSMailBox.HDR_GROUP g where p.FIRST_NAME='" + friendname + "' and p.PROFILE_ID=g.FRIEND_ID and ACCEPT_STATUS='" + false + "'", con);
        SqlDataAdapter sda = new SqlDataAdapter(cmd);
        DataSet ds = new DataSet();
        sda.Fill(ds);
        int cnt = ds.Tables[0].Rows.Count;
        DT = ds.Tables[0];
        GridView1.DataSource = ds;
        GridView1.DataBind();
 
[edit]Code block added - OriginalGriff[/edit]
Posted 25-Nov-12 21:20pm
Edited 25-Nov-12 21:36pm
v2
Comments
E.F. Nijboer at 26-Nov-12 3:25am
   
You know about sql injection? http://en.wikipedia.org/wiki/SQL_injection

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

There are a number of things wrong with your code:
Firstly, you don't check your inputs - if the user does not enter two words, separated by a space, you will get an "Out of range" exception. Always check - users make mistakes, and they would really rather your program didn't crash and take their data with it...
 
Secondly, please don't do it like that - as EF Nijboer has said, that leaves you wide open for SQL Injection attacks which can accidentaly or deliberately destroy your database. Use parametrized queries instead.
        SqlCommand cmd = new SqlCommand("Select PROFILE_ID,FIRST_NAME,PROFILE_REQUEST_STATUS from DSProfile.HDR_PROFILE where FIRST_NAME=@FN and LAST_NAME=@LN and PROFILE_REQUEST_STATUS=@PRS, con);
        cmd.Parameters.AddWithValue("@FN", firstname);
        cmd.Parameters.AddwithValue("@LN", ...
 
The way to check the number of words added is pretty simple: Check the Length of the Spilted array...
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Your Filters
Interested
Ignored
     
0 Sergey Alexandrovich Kryukov 462
1 sanket saxena 355
2 OriginalGriff 235
3 Abhinav S 233
4 CPallini 205
0 Sergey Alexandrovich Kryukov 8,784
1 OriginalGriff 5,025
2 Peter Leow 3,839
3 Maciej Los 3,535
4 Er. Puneet Goel 3,107


Advertise | Privacy | Mobile
Web02 | 2.8.140415.2 | Last Updated 26 Nov 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Use
Layout: fixed | fluid