Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET
i want to match first name nad last name of person to textbox value...
i got this code for this use array means first split that code and then match in select query but now i want to check in textbox only first name then differnt query and firstname &lastname then differnt query so how can i identify one word or two word in textbox????
plz help me..
 

my code is:-
 
String Name = txtname.Text;
        String[] Spilted = Name.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
        String firstname = Spilted[0];
        String lastname = Spilted[1];
 

        SqlCommand cmd = new SqlCommand("Select PROFILE_ID,FIRST_NAME,PROFILE_REQUEST_STATUS from DSProfile.HDR_PROFILE  where FIRST_NAME='" + firstname + "' and LAST_NAME='" + lastname + "'  and PROFILE_REQUEST_STATUS='" + false + "'", con);
       // SqlCommand cmd = new SqlCommand("Select p.PROFILE_ID,g.FRIEND_ID,p.FIRST_NAME,g.ACCEPT_STATUS from DSProfile.HDR_PROFILE p,DSMailBox.HDR_GROUP g where p.FIRST_NAME='" + friendname + "' and p.PROFILE_ID=g.FRIEND_ID and ACCEPT_STATUS='" + false + "'", con);
        SqlDataAdapter sda = new SqlDataAdapter(cmd);
        DataSet ds = new DataSet();
        sda.Fill(ds);
        int cnt = ds.Tables[0].Rows.Count;
        DT = ds.Tables[0];
        GridView1.DataSource = ds;
        GridView1.DataBind();
 
[edit]Code block added - OriginalGriff[/edit]
Posted 25-Nov-12 22:20pm
Edited 25-Nov-12 22:36pm
v2
Comments
E.F. Nijboer at 26-Nov-12 3:25am
   
You know about sql injection?
http://en.wikipedia.org/wiki/SQL_injection

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

There are a number of things wrong with your code:
Firstly, you don't check your inputs - if the user does not enter two words, separated by a space, you will get an "Out of range" exception. Always check - users make mistakes, and they would really rather your program didn't crash and take their data with it...
 
Secondly, please don't do it like that - as EF Nijboer has said, that leaves you wide open for SQL Injection attacks which can accidentaly or deliberately destroy your database. Use parametrized queries instead.
        SqlCommand cmd = new SqlCommand("Select PROFILE_ID,FIRST_NAME,PROFILE_REQUEST_STATUS from DSProfile.HDR_PROFILE where FIRST_NAME=@FN and LAST_NAME=@LN and PROFILE_REQUEST_STATUS=@PRS, con);
        cmd.Parameters.AddWithValue("@FN", firstname);
        cmd.Parameters.AddwithValue("@LN", ...
 
The way to check the number of words added is pretty simple: Check the Length of the Spilted array...
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Advertise | Privacy | Mobile
Web03 | 2.8.150326.1 | Last Updated 26 Nov 2012
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100