Click here to Skip to main content
15,559,275 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;

public partial class searchdoctor : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection("Data Source=DESKTOP-9RP88PP;Initial Catalog=Project;Integrated Security=True");
    string uname;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        uname=Session["email"].ToString();
        con.Open();
        if(DropDownList1.SelectedItem.Text=="Name")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where name Like '" + TextBox1.Text + "%'";
        }
        if (DropDownList1.SelectedItem.Text == "Specialization")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where specialization Like'" + TextBox1.Text + "%'";
        }
        SqlDataAdapter adp = new SqlDataAdapter(sql,con);
        DataSet ds = new DataSet();
        adp.Fill(ds);
        GridView1.DataSource = ds;
        GridView1.DataBind();
        con.Close();

    }
}





This my code... Here I'm doing a project, when i click dropdownlist and enter the text in textbox and click search button it should display the data in grid view . My problem is it showing an error "The name sql does not exist in the current context.

What I have tried:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;

public partial class searchdoctor : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection("Data Source=DESKTOP-9RP88PP;Initial Catalog=Project;Integrated Security=True");
    string uname;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        uname=Session["email"].ToString();
        con.Open();
        if(DropDownList1.SelectedItem.Text=="Name")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where name Like '" + TextBox1.Text + "%'";
        }
        if (DropDownList1.SelectedItem.Text == "Specialization")
        {
            string sql = "select doctor_id,name,address,contact_no,email_id,specialization from doctor_add where specialization Like'" + TextBox1.Text + "%'";
        }
        SqlDataAdapter adp = new SqlDataAdapter(sql,con);
        DataSet ds = new DataSet();
        adp.Fill(ds);
        GridView1.DataSource = ds;
        GridView1.DataBind();
        con.Close();

    }
}
Posted
Updated 31-Oct-22 0:59am
v2

1 solution

You need to learn about variable scope:
Basic concepts - C# language specification | Microsoft Learn[^]

You declare two variables called sql which only exist within the scope of the if blocks. You cannot use either of them outside of those blocks.

You need to declare one variable, outside of those blocks, and use that instead:
C#
string sql;
if (DropDownList1.SelectedItem.Text == "Name")
{
    sql = "...";
}
else if (DropDownList1.SelectedItem.Text == "Specialization")
{
    sql = "...";
}

However, you have a much bigger problem: your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.
C#
string sql;
if (DropDownList1.SelectedItem.Text=="Name")
{
    sql = "select doctor_id, name, address, contact_no, email_id, specialization from doctor_add where name Like @SearchText";
}
else if (DropDownList1.SelectedItem.Text == "Specialization")
{
    sql = "select doctor_id, name, address, contact_no, email_id, specialization from doctor_add where specialization Like @SearchText";
}

SqlDataAdapter adp = new SqlDataAdapter(sql, con);
adp.SelectCommand.Parameters.AddWithValue("@SearchText", TextBox1.Text + "%");

DataSet ds = new DataSet();
adp.Fill(ds);
GridView1.DataSource = ds;
GridView1.DataBind();


Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 
Comments
Member 15802819 31-Oct-22 6:25am    
Thank you for the reply:)

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900