How to fix this error

Question

1.00/5 (1 vote)

See more:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;

public partial class searchdoctor : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection("Data Source=DESKTOP-9RP88PP;Initial Catalog=Project;Integrated Security=True");
    string uname;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        uname=Session["email"].ToString();
        con.Open();
        if(DropDownList1.SelectedItem.Text=="Name")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where name Like '" + TextBox1.Text + "%'";
        }
        if (DropDownList1.SelectedItem.Text == "Specialization")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where specialization Like'" + TextBox1.Text + "%'";
        }
        SqlDataAdapter adp = new SqlDataAdapter(sql,con);
        DataSet ds = new DataSet();
        adp.Fill(ds);
        GridView1.DataSource = ds;
        GridView1.DataBind();
        con.Close();

    }
}

This my code... Here I'm doing a project, when i click dropdownlist and enter the text in textbox and click search button it should display the data in grid view . My problem is it showing an error "The name sql does not exist in the current context.

What I have tried:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;

public partial class searchdoctor : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection("Data Source=DESKTOP-9RP88PP;Initial Catalog=Project;Integrated Security=True");
    string uname;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        uname=Session["email"].ToString();
        con.Open();
        if(DropDownList1.SelectedItem.Text=="Name")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where name Like '" + TextBox1.Text + "%'";
        }
        if (DropDownList1.SelectedItem.Text == "Specialization")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where specialization Like'" + TextBox1.Text + "%'";
        }
        SqlDataAdapter adp = new SqlDataAdapter(sql,con);
        DataSet ds = new DataSet();
        adp.Fill(ds);
        GridView1.DataSource = ds;
        GridView1.DataBind();
        con.Close();

    }
}

Posted 30-Oct-22 23:30pm

Member 15802819

Updated 30-Oct-22 23:59pm

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2022-10-30T23:59:00

You need to learn about variable scope:
Basic concepts - C# language specification | Microsoft Learn[^]

You declare two variables called sql which only exist within the scope of the if blocks. You cannot use either of them outside of those blocks.

You need to declare one variable, outside of those blocks, and use that instead:

C#

string sql;
if (DropDownList1.SelectedItem.Text == "Name")
{
    sql = "...";
}
else if (DropDownList1.SelectedItem.Text == "Specialization")
{
    sql = "...";
}

However, you have a much bigger problem: your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

C#

string sql;
if (DropDownList1.SelectedItem.Text=="Name")
{
    sql = "select doctor_id, name, address, contact_no, email_id, specialization from doctor_add where name Like @SearchText";
}
else if (DropDownList1.SelectedItem.Text == "Specialization")
{
    sql = "select doctor_id, name, address, contact_no, email_id, specialization from doctor_add where specialization Like @SearchText";
}

SqlDataAdapter adp = new SqlDataAdapter(sql, con);
adp.SelectCommand.Parameters.AddWithValue("@SearchText", TextBox1.Text + "%");

DataSet ds = new DataSet();
adp.Fill(ds);
GridView1.DataSource = ds;
GridView1.DataBind();

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]