seeking a product where more than field is needed in c# and sql

Question

1.00/5 (1 vote)

See more:

i have a table with products i am seeking a product according to product name, type and size, how to write a SQL statement for that?

C#

try
          {

              string str = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\\WStoreSystem\\WStoreSystem\\WStoreSystem\\bin\\Debug\\StoreSys.mdb";
              OleDbConnection con = new OleDbConnection(str);
              con.Open();
              OleDbCommand comm = new OleDbCommand();
              comm.Connection = con;
              string qu = "SELECT StockID FROM Stock where ProName '" + comboBox1.Text + "'" || ProType like '" + comboBox2.Text + "'" || ProSize like '" + comboBox3.Text + "'";

             comm.CommandText = qu;
              OleDbDataReader reder = comm.ExecuteReader();
              while (reder.Read())
              {
                  txtStockID.Text =(reder["StockID"].ToString());
              }
              con.Close();
          }
          catch (Exception ex)
          {
              MessageBox.Show("Error " + ex);
          }
      }

Posted 19-May-15 7:59am

MeftahDAKHEEL

Add a Solution

Comments

virusstorm 19-May-15 14:17pm

We need to know what your table looks like to help you write the SQL needed.

MeftahDAKHEEL 20-May-15 12:49pm

1 1 Bridgestone TC10 B 175/70R13
2 1 Bridgestone MY02 B 185/65R14
3 1 Bridgestone TC10 B 185/70R14
4 1 Bridgestone AR20 B 215/60R16
5 1 Bridgestone AR20 B 225/55R16
6 1 Bridgestone TG90 B 235/60R16
7 1 Bridgestone TC10 B185/65R15

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2015-05-19T08:22:00

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Rather than specifying the full path to the database file, use |DataDirectory| in your connection string. This will automatically point to the application directory for a Windows application, and the App_Data directory for a web application.

Wrap disposable objects in a using block to ensure that their resources are always cleaned up.

There's no need to use ExecuteReader when you're only reading a single value. Use ExecuteScalar instead.

And SQL uses the operators AND and OR, not the C-style && and ||.

C#

const string ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|StoreSys.mdb";
const string Query = "SELECT TOP 1 StockID FROM Stock WHERE ProName = ? Or ProType = ? Or ProSize = ?";

using (var connection = new OleDbConnection(ConnectionString))
using (var command = new OleDbCommand(Query, connection))
{
    // OleDb doesn't use named parameters, so only the order matters here:
    command.Parameters.AddWithValue("p0", comboBox1.Text);
    command.Parameters.AddWithValue("p1", comboBox2.Text);
    command.Parameters.AddWithValue("p2", comboBox3.Text);

    connection.Open();
    txtStockID.Text = Convert.ToString(command.ExecuteScalar());
}

Also, do yourself a favour and give your controls meaningful names. Accepting the default name assigned by the designer will only cause confusion later.

EDIT:
Based on the comments, it sounds like you want to match all of the selected parameters, rather than matching any of the selected parameters. If so, change the code to:

C#

const string ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|StoreSys.mdb";
const string Query = "SELECT TOP 1 StockID FROM Stock WHERE (ProName = ? Or ? = '') And (ProType = ? Or ? = '') And (ProSize = ? Or ? = '')";

using (var connection = new OleDbConnection(ConnectionString))
using (var command = new OleDbCommand(Query, connection))
{
    // OleDb doesn't use named parameters, so only the order matters here:
    command.Parameters.AddWithValue("p0", comboBox1.Text);
    command.Parameters.AddWithValue("p1", comboBox1.Text);
    command.Parameters.AddWithValue("p2", comboBox2.Text);
    command.Parameters.AddWithValue("p3", comboBox2.Text);
    command.Parameters.AddWithValue("p4", comboBox3.Text);
    command.Parameters.AddWithValue("p5", comboBox3.Text);

    connection.Open();
    txtStockID.Text = Convert.ToString(command.ExecuteScalar());
}

(You have to add each parameter twice, since OleDb doesn't used named parameters.)