And when you do it like this someone will sumbit "%' GO DELETE tblUsers --"
in your input box and wipe out your table (if the database user has enough
privileges to do so).
A better solution is to use the command object, like this:
OleDbCommand cmd = new OleDbCommand();
cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE @address";
cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");
Jerry
"David Wier" <dw***@nospamASPNet101.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Dim sAddress as String
sAddress=txtAddress.text
SQL = "SELECT * FROM tblUsers WHERE Adress Like '%" & sAddress & "%'"
Put the % sign on the front and at the end, in order to search the entire
field
Check out this 2 Part Tutorial on Parameterized Queries:
http://aspnet101.com/aspnet101/tutorials.aspx?id=1
LIKE is covered in Part 2
David Wier
http://aspnet101.com
http://aspexpress.com
"wilco" <wi**********@hetnet.nl> wrote in message
news:bg**********@reader11.wxs.nl... hello,
can any one tell me how to create a stored procedure that is beable to
search a table, or more table's and can make use of wildcards?
i just made somthing like this,:
SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants to
search the database *'
but I don't know where to place the @??? for the input
i also wants to make the user can select witch table and field he want's
to search.
thanks!!
