The answer linked from solution 1 mentions that concatenating the values directly into the query leaves you vulnerable to
SQL Injection[
^]; unfortunately, it doesn't show you the correct way to avoid that.
You could use a library such as
Dapper[
^] to achieve this. Or you could write your own code, which isn't too complicated:
DataTable data = new DataTable();
using (SqlConnection con = new SqlConnection(cs))
using (SqlDataAdapter sda = new SqlDataAdapter(null, con))
{
var commandText = new System.Text.StringBuilder("SELECT * FROM atlit WHERE 1 = 0");
foreach (string ntn in searchtxtbox.Text.Split(','))
{
if (string.IsNullOrWhiteSpace(ntn)) continue;
string parameterName = "@ntn" + sda.SelectCommand.Parameters.Count;
sda.SelectCommand.Parameters.AddWithValue(parameterName, ntn.Trim());
commandText.Append(" OR ntn Like ").Append(parameterName);
}
sda.SelectCommand.CommandText = commandText.ToString();
sda.Fill(data);
}
This will build a query that looks something like:
SELECT * FROM atlit WHERE 1 = 0 OR ntn Like @ntn0 OR ntn Like @ntn1
Each comma-separated value from the textbox will be appended to the command as a parameter. If no values are entered, then no data will be returned.