try
protected void searchname_date()
{
List<string> lstSelectedItems = new List<string>();
if (ListBox1.Items.Count > 0)
for (int i = 0; i < ListBox1.Items.Count; i++)
if (ListBox1.Items[i].Selected)
lstSelectedItems.Add(ListBox1.Items[i].Text);
string inQuery = string.Join("','", lstSelectedItems);
inQuery = "'" + inQuery + "'";
SqlConnection cnn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
string Query = "SELECT * FROM [dsr_data] where (date_time between @from and @to ) And session_name in ({0})";
Query = string.Format(Query, inQuery);
SqlCommand cmd = new SqlCommand(Query, cnn);
cmd.Parameters.AddWithValue("@from", TextBox1.Text);
cmd.Parameters.AddWithValue("@to", TextBox4.Text);
DataTable dtAdmin = new DataTable();
SqlDataAdapter da;
da = new SqlDataAdapter(Query, cnn);
da.Fill(dtAdmin);
if (dtAdmin.Rows.Count > 0)
GVmydsr.DataSource = dtAdmin;
else
GVmydsr.DataSource = null;
GVmydsr.DataBind();
}
Note:Formatting the sql Query string is
vulnerable to
SQL Injection[
^] attacks
always use
Parameterized queries to prevent SQL Injection Attacks in SQL Server[
^]