I would suggest you find some other tutorials, as the code you have presented is ripe for an SQL Injection
attack; which was identified over 20 years ago- before YouTube even existed.
Search this site and elsewhere to find out all you need to know and then some SQL Injection; it is seen here weekly and if you read through the other answers there is a plethora of links to information about this.
This line of code has a few problems:
Dim searchquery As String = "SELECT * FROM DBO.OUTDOOR WHERE ITEM = 'HP209'" & valueToSerach & "%"
1. It is vulnerable as you are taking user input verbatim and concatenating it into an SQL statement. Crafted input from the end user could trick your software into revealing all of it's secrets, adding content to all of your tables, or deleting your entire database. Simumltaneously.
clause in the statement utilizes the equals (
) operator, but it appears you want to do a search which would necessitate the
3. The syntax of the SQL statement should be causing an exception to be raised- Have you reviewed the logs or run this in Debug
Now for the better way to do this.
Dim searchquery As String = "SELECT * FROM dbo.Outdoor WHERE Item LIKE 'HP209' + @ValueToSearch + '%'"
Dim command As New SqlCommand(searchquery, connection)
1. Replaced the direct user input with a Paramater
, and added a new line after command
is create to assign the parameter value. If any nefarious input was typed in, when the parameter is added to the statement it will be encoded to not trick your server.
2. The WHERE clause has been changed to use the LIKE operator, so we can retrieve rows that match the HP209xxxx pattern (HP209, HP209abc, HP209xxaafff)
will all be returned
Wouldn't you know it, but today's CodeProject News Items
] has an article and item #6 on this list is SQL Injection- I would suggest reading through the article and related items such as #3 (input validation).
Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now • The Register