Click here to Skip to main content
14,970,403 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi, I got a problem while I was developing my search function.despite I use nVarChar as my Variable when I was creating my SQL table (which make searching with other languages possible ) the search function doesn't show any result when I search with Persian keyboard.There's no error but the data grid view goes blank when I search with Persian.
I'll be very happy if you can help me.
Here is my function=>
C#
class newbook
 public static void Search(DataGridView dtg, String nam, String wri, String sub)
        {
            String SQL = "";
            UInt64 Where = 0;
            SQL = " Select nam as [Name], wri as[Writer], sub as[Subject] From newbook ";
            if (nam != "-" || wri != "-" || sub!="-")
            {
                SQL = SQL + " where ";
            }
            if (nam != "-")
            {
                if (Where == 0)
                {
                    Where = 1;
                }
                else
                {
                    SQL = SQL + " And ";
                }
                SQL = SQL + " [nam] Like N'%" + nam + "%' ";

            }
            if (wri != "-")
            {
                if (Where == 0)
                {
                    Where = 1;
                }
                else
                {
                    SQL = SQL + " And ";
                }
                SQL = SQL + " [wri] Like N'%" + wri + "%' ";
            }
          
            if(sub!="-")
            {
                if(Where==0)
                {
                    Where = 1;
                }
                else
                {
                    SQL = SQL + "And";
                }
                SQL = SQL + "[sub] Like N'%" + sub + "%'";
            }


            dtg.DataSource = DataBase.ExecuteSelect(SQL); }
And this is how I recall the function in the search button=>
C#
String N, W, S;
            
            N = "-";
            W = "-";
            S = "-";
            N = txtuser.Text;
            W = txtuser.Text;
            S = txtuser.Text;
            
           
            newbook.Search(dtgbook , N, W, S );
I use Visual Studio Ultimate 2013 and SQL Server 2014 Management Studio for my database.

Thanks for your help.

What I have tried:

My mentor believe there is sth missing in search button where I recall the function but I'm not sure & It's the first time I encountered with such problem so I'm really mixed up!
Posted
Updated 9-Jul-19 5:47am
v2

1 solution

You have more problems than you realize:
1. SQL Injection Vulnerability. NEVER EVER put together a query by piecing together commands and user input.
2. Do you realize that you have created somewhere between 2 and 9 different strings called SQL? Strings are immutable, so redefing actually makes a new one
3. I question any mentor who lets you program like this

The fix for SQL Injection is to use SqlParameters in your query
SqlParameter Class (System.Data.SqlClient) | Microsoft Docs[^]

The proper way to build a string is the StringBuilder
StringBuilder Class (System.Text) | Microsoft Docs[^]
   
v2

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900