how to search data using textbox in database in vb.net

Question

1.00/5 (2 votes)

See more:

this is my code but when I click on search there's an error! Please help..
thanks

<pre lang="vb">

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click

ds = New DataSet
tables = ds.Tables
da = New OleDbDataAdapter("Select * from AMORLITO where _name = '" & TextBox1.Text & "'", con) 'Change items to your database name

If da.Fill(ds, "AMORLITO") Then 'Change items to your database name
Dim view As New DataView(tables(0))
source1.DataSource = view
DataGridView1.DataSource = view
Else
MsgBox("NO DATA!")
End If
End Sub

Posted 24-Apr-15 2:54am

Member 11566968

Updated 30-Jan-20 9:15am

Add a Solution

Comments

Kaushik S Murthy 24-Apr-15 9:04am

What is the error that you are getting?

Richard Deeming 24-Apr-15 9:12am

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Member 11566968 24-Apr-15 9:14am

Syntax error in query expression '_name = '''
its my first time in programming. ^^,

Member 11566968 24-Apr-15 9:15am

what are the examples of parameterized query?Im a beginners thanks

Member 11566968 24-Apr-15 9:31am

thank you so much, how can i concatenate name?

Richard Deeming 24-Apr-15 9:33am

You'll need to explain that one - concatenate it with what?

Member 11566968 24-Apr-15 9:36am

i want to input letters only. example i input "a" all have a letter "a" in _name database, will query and show in my datagridview.

Richard Deeming 24-Apr-15 9:38am

So you want to use a Like comparison, instead of an =?
SELECT * FROM AMORLITO WHERE [_name] Like '%' + ? + '%'

Member 11566968 24-Apr-15 9:43am

"SELECT * FROM AMORLITO WHERE [_name] Like '*' + '" & TextBox1.Text & "' + '*' "

no data, is this right?

Richard Deeming 24-Apr-15 9:45am

No, you need to use a parameterized query.

Member 11566968 24-Apr-15 9:47am

thanks Richard. I understand now. ^^

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2015-04-24T03:22:00

Start by fixing the SQL Injection[^] vulnerability in your code.

Then, check your column name. Is it really called _name (with a leading underscore character)? If so, you'll need to wrap it in square brackets.

Try something like this:

VB

Dim da As New OleDbDataAdapter("SELECT * FROM AMORLITO WHERE [_name] = ?", con)

' OleDb doesn't use named parameters, so the parameter name doesn't matter here:
da.SelectCommand.Parameters.AddWithValue("p0", TextBox1.Text)

Dim ds As New DataSet()
If da.Fill(ds, "AMORLITO") Then
    Dim view As DataView = ds.Tables(0).DefaultView
    source1.DataSource = view
    DataGridView1.DataSource = view
Else
    MsgBox("NO DATA!")
End If