That's part of an SQL command, but as far as the Textbox is concerned, it's just a string, so it will display it.
TextBoxes don't process SQL, don't "magically know" about your database, and won't do arithmetic.
Even is they did, that fragment describes multiple columns in an SQL Command, so the text box would have no idea which of them to display anyway!
I'd suggest you go back to where you got the fragment from, and look at teh code around it: There will be "support code" which connects to a DB and prepares the SQL command before actually executing the query and handling the results.
Quote:
Do you mean this code?
......................................
Dim adapter3 As New SqlDataAdapter("SELECT BUILDING.Location,Mtype as MealType, " & Textbox7.Text & " FROM TRANSACTIONDETAILS INNER JOIN building on TRANSACTIONDETAILS.Bno=building.Bno WHERE " & Textbox6.Text & " TRANSACTIONDETAILS.TRANSACTIONDATE >= '" & RDate & "' and TRANSACTIONDETAILS.TRANSACTIONDATE <= '" & CCDate & "' GROUP BY BUILDING.Location,Mtype ORDER BY BUILDING.Location", Connection)
Dim ds3 As New DataSet()
adapter3.Fill(ds3, "tran3")
Datagrid2.DataSource = ds3.Tables("tran3").DefaultView
Datagrid2.DataBind()
That's part of it, yes - it sets up a DataAdapter (which is one of two ways to read multiple rows
and / or columns info from a DB in VB) with an existing SqlConnection, then reads the data from SQL Server into a DataSet and uses that to fill a DataGrid with the data.
That's how it works: you create a SqlConnection, you set up an SqlCommand (which is done for you as part of the DataAdapter creation), then you tell SQL Server to execute the command, and you handle the results it returns.
But that code does it in a very dangerous way!
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
Submit an article or tip