Click here to Skip to main content
14,923,038 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi Sir,

I am Rakesh P.

I have a simple issue about Gridview and Textbox .

I have table "EMP" in database. now I have textbox and button & Gridview ON PAGE

I want to display result for particular empid in gridview when i enter empid in text box . I tried to implement it by using where clause but it shows error that textbox can't bound with gv

I have implemented like this ....what is wrong in this

C#
protected void Button1_Click(object sender, EventArgs e)
                {
                    SqlConnection Cn = new SqlConnection("server=OM-PC;database=master;uid=SA;pwd=123");

                    SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE TextBox1.Text= DNO", Cn);
                    Cn.Open();

                    SqlDataReader Dr = Cmd.ExecuteReader();

                    GridView1.DataSource = Dr;
                    GridView1.DataBind();

                    Dr.Close();

                    Cn.Close();


                }
            }

Please help me ...


-Rakesh
Posted
Updated 16-Jul-12 3:43am
v2

Sql doesn't know your Textbox.
C#
SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE TextBox1.Text= DNO", Cn);

You have to add a parameter to your sql representing your textbox's value:
C#
SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE @txt = DNO", Cn);
Cmd.Parameters.AddWithValue("@txt", TextBox1.Text);
   
v2
Comments
Mohamed Mitwalli 16-Jul-12 11:27am
   
5 + but it will be better if you suggest for him using
using( SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE @txt= DNO", Cn))
{

}
StianSandberg 17-Jul-12 1:47am
   
I guess you meant:
using( SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE @txt=DNO", Cn))
{
}
But "one step at a time" ;) He is obviously seeing solution 1 as the best choice here..
Mohamed Mitwalli 17-Jul-12 2:31am
   
yes but I'm not agree with the First solution as you mentioned in your comment sql-injections
Mohamed Mitwalli 17-Jul-12 2:32am
   
yes thanks i didn't noticed i made this mistake :)
StianSandberg 17-Jul-12 2:33am
   
We should be able to put a big warning-sign on answers like that.. :)
Mohamed Mitwalli 17-Jul-12 2:39am
   
lol yes why not :)
Hi ,
check this Example it will help you
C#
protected void Button1_Click(object sender, EventArgs e)
   {
       using (SqlConnection Cn = new SqlConnection(ConfigurationManager.ConnectionStrings["testConnectionString"].ConnectionString))
       {
          using ( SqlCommand Cmd = new SqlCommand("SELECT * FROM orders WHERE orderid= @orderid", Cn))
        {
           Cn.Open();

           Cmd.Parameters.AddWithValue("@orderid",int.Parse( TextBox1.Text));
           SqlDataReader Dr = Cmd.ExecuteReader();
           if (Dr.HasRows)
           {
               GridView1.DataSource = Dr;
               GridView1.DataBind();
           }
            Dr.Close();

           Cn.Close();
            }

       }
   }

XML
<div>

    <asp:GridView ID="GridView1" runat="server">
    </asp:GridView>

    <br />
    <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>

    <asp:Button ID="Button1" runat="server" Text="Button" onclick="Button1_Click" />

</div>


Best Regards
M.Mitwalli
   
v2
Hello use this code as like may be help full...

    protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection Cn = new SqlConnection("server=OM-PC;database=master;uid=SA;pwd=123");
 
SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE DNO= "+TextBox1.Text, Cn);
Cn.Open();
 
SqlDataReader Dr = Cmd.ExecuteReader();
 
GridView1.DataSource = Dr;
GridView1.DataBind();
 
Dr.Close();
 
Cn.Close();
 

}
   
Comments
StianSandberg 16-Jul-12 9:50am
   
This is not a good solution. What if i fill out the textbox with: "1; DELETE FROM DEPT;"!??...

Then this sql is executed "SELECT * FROM DEPT WHERE DNO=1; DELETE FROM DEPT;"
Booom.. your table is gone..
[no name] 16-Jul-12 9:58am
   
THANQ SO MUCH..................
StianSandberg 16-Jul-12 10:01am
   
Rectus: You can't use this. Its open for sql-injections. Please use a sql parameter as described in the other answers...
Mohamed Mitwalli 16-Jul-12 11:28am
   
Agree with you
Use the below code it will be useful.

C#
SqlConnection Cn = new SqlConnection("Data Source=WINHY1BRAJESH;Initial Catalog=master;Integrated Security=SSPI;");
 
SqlCommand Cmd = new SqlCommand("SELECT * FROM DEPT WHERE DNO = " + TextBox1.Text, Cn);
Cn.Open();
 
SqlDataReader Dr = Cmd.ExecuteReader();
 
GridView1.DataSource = Dr;
GridView1.DataBind();
 
Dr.Close();
 
Cn.Close();
   
v2
Comments
StianSandberg 16-Jul-12 10:02am
   
this solution opens up for sql-injections.. Bad idea. You should use sql-parameters!
Rajesh Varma Buddaraju 17-Jul-12 5:33am
   
This is just an example we need to put the queries in stored procedure to avoid Sql-injections.
StianSandberg 17-Jul-12 5:49am
   
You don't have to use stored procedure to avoid sql-injections.
Your answer contains a potentially harmful example code which should not be used under any circumstances.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900