The answer linked from solution 1 mentions that concatenating the values directly into the query leaves you vulnerable to SQL Injection
]; unfortunately, it doesn't show you the correct way to avoid that.
You could use a library such as Dapper
] to achieve this. Or you could write your own code, which isn't too complicated:
DataTable data = new DataTable();
using (SqlConnection con = new SqlConnection(cs))
using (SqlDataAdapter sda = new SqlDataAdapter(null, con))
var commandText = new System.Text.StringBuilder("SELECT * FROM atlit WHERE 1 = 0");
foreach (string ntn in searchtxtbox.Text.Split(','))
if (string.IsNullOrWhiteSpace(ntn)) continue;
string parameterName = "@ntn" + sda.SelectCommand.Parameters.Count;
commandText.Append(" OR ntn Like ").Append(parameterName);
sda.SelectCommand.CommandText = commandText.ToString();
This will build a query that looks something like:
SELECT * FROM atlit WHERE 1 = 0 OR ntn Like @ntn0 OR ntn Like @ntn1
Each comma-separated value from the textbox will be appended to the command as a parameter. If no values are entered, then no data will be returned.