This doesn't work because an apostrophe (') is special SQL syntax.
It is used to indicate string literals. So when you are searching for John Doe your SQL will look like
- Select * from MyTable Where name='John Doe'
Now look what happens when you enter O'Brien:
- Select * from MyTable where name = 'O'Brien'
See? It breaks.
In fact, this is taken advantage of by
SQL Injection Attacks.
You need to change how you are creating your SQL query.
Instead of using input directly from the user while creating your SQL query, use parameters instead.
So instead of creating your SQL query like this:
-
sqlCom.CommandText = "Select * From myTable where name = '"+myTextBox.Text +"'";
You would create your SQL query like this:
-
sqlCom.CommandText = "Select * From myTable Where name = @searchName"
-
sqlCom.Parmaeters.Add("@searchName", SqlDbType.VarChar).Value = myTextBox.Text;
For examples please see the article on
how to use a database in your program.
-Frinny