need help in syntax in c#

Question

1.00/5 (2 votes)

See more:

C#

String sql = "select PatientId, FirstName, LastName, Sex, Age, CNIC, Phone, GaurdianName from Patients WHERE 1=1";
            if (PatientId.Text != "")
            {
                
               sql += " AND PatientId LIKE '%" + PatientId.Text + "%'";
            }

i couldn't uderstand where is wrong!! i want to retrieve exact patient id but not getting like if i query for 1 it is showing 1,10,11 records!! i couldn't fighure out where is the problem.

Posted 1-Jun-13 16:50pm

Faraz the fighter

Updated 1-Jun-13 18:05pm

David_Wimbley

v2

Add a Solution

Comments

[no name] 1-Jun-13 23:53pm

"1 it is showing 1,10,11 records" and so it should. Do you have any idea what LIKE does? That is the output that I would expect. If you want the exact PatientId then you just need to use =

David_Wimbley 2-Jun-13 0:05am

Should make that the answer, would have my 5

Faraz the fighter 2-Jun-13 0:52am

sql += " AND PatientId == + PatientId.Text + ";

not giving the required result

bbirajdar 2-Jun-13 2:00am

== should be = since it is sql syntax

debkumar@codeproject 2-Jun-13 0:07am

What is the use of 1=1? Unnecessarily adding clause. I believe query optimizer removes this from the query.

'LIKE' and '%' are used for finding elements based on substrig (ignoring case sensitivity). '=' is used for finding exact (ignoring case sensitivity).

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2013-06-01T22:27:00

Solution 1

To add to what the others have said, don't do it like that anyway.
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

Posted 1-Jun-13 22:27pm

OriginalGriff

Maciej Los · Answer 2 · 2013-06-01T23:28:00

To get exact match, your query should looks like:

SQL

SELECT PatientId, FirstName, LastName, Sex, Age, CNIC, Phone, GaurdianName
FROM Patients
WHERE PatientId LIKE =@PatientId

I would suggest you to create stored procedure and call it from code behind.
Using a Stored Procedure with Output Parameters[^]
How to create a SQL Server stored procedure with parameters [^]