"Tim Sprout" <tm**@ptialaska.netwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
>I want button1_Click on Form1 to send a query using the textBox1.Text
string
as part of the query. I want to populate a dataGridView from an Access
database file. I am trying to build a search box with the textBox1. How do
I
pass the textBox1.Text string to the query? The query string below gives
me
one blank row:
string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE
'textBox1.Text')";
The easiest -and not recommended- way to do it is to concatenate the text
to the query:
string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE '" +
textBox1.Text + "')";
This would work, BUT it has the risk of suffering what is known as a "Sql
Injection attack": If a user enters in the textbox something that looks like
Sql, it would be executed at your server. It also has other problems, for
instance, if the Text were "O'Donell", the code would crash with a syntax
error due to the single quote.
The recommended way to pass the text is to parameterize the Sql Query:
string strOleDb = "Select * from ProjectTable WHERE (ProjectName LIKE ?)";
OleDbCommand cmd = new OleDbCommand(strOleDb, connection);
cmd.Parameters.AddWithValue("FirstParam", textBox1.Text);