Click here to Skip to main content
15,905,148 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
How can i search for a record in a particular sql table listed in combo box

What I have tried:

Sqlconnection conn = new Sqlconnection ("select * from INFORMATION_SCHEMA.TABLES where firstname like'" + txtIndexSearch. Text + "%'", conn)
Updated 2-Jan-23 4:31am

The same way that you search for the tables; you build a SELECT command with the relevant keywords. Also, you should not use string concatenation to build SQL commands, use proper parameterised queries: see A guide to preventing SQL injection[^].
Share this answer
Combo boxes are dangerous: they allow the user to type what they want, it isn't restricted to just the items in it's list. A drop down list is safer, but still requires care. The reason why is simple; if the user can directly influence what becomes part of an SQL Command, your database is at risk of SQL Injection which can damage or destroy it.
And unfortunately, table names cannot be passed as parameters due to teh order in which the SQL DB engine processes commands.

The search text has exactly the same problem: when you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
A perfectly valid "delete the table" command
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

So while it's possible to do what you want, it's not a good idea unless you ensure that only "safe" commands can be entered - which means a collection of valid SQLK table names which are allowed to be used.

Then it's a simple matter: add the table name from a collection, and the search text as a parameter:
string sql = $"SELECT * FROM {validTables[index]} WHERE firstName LIKE '%' + @FN + '%'";
using (SqlCommand cmd = new SqlCommand(sql, con))
   cmd.Parameters.AddWithValue("@FN", txtIndexSearch.Text);
Share this answer
Joel Silva 2022 3-Jan-23 9:25am    
Well, the only thing I was able to do is to read the table by using if("cmbox. selectedIndex.Tostring() ==" 2")
So, if I selected Index 2 in cmbox, then I used the sql query to read the Data.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900