0

I am trying do something like this example:

adp.SelectCommand.CommandText = "select * from table1 where @1=@2 and @3=@4";
adp.SelectCommand.Parameters.AddWithValue("@1", textBox1.Text);
adp.SelectCommand.Parameters.AddWithValue("@2", textBox2.Text);

I think it's pretty clear what I would like to do. I want both field name (Database) and value to be taken from a text box within a win form. But the results aren't good. Can you please tell me what I'm doing wrong? There are no errors or anything.

Thanks in advance.

Improve this question
2
  • Are you also adding Parameters @3 and @4? Also, you should realize that there's not enough information on what your problem might be. Commented Apr 8, 2014 at 13:32
  • yes . try it your self .it seems the field name can not be a variable . Commented Apr 8, 2014 at 13:35

2 Answers 2

Reset to default
1

Only values are considered to be parameters in queries. The attributes you reference are never parameters. This is a basic rule of SQL and many other query language implementations.

But you can code around this constraint as shown below.

Mind that the actual attribute names should NEVER come from the outside (user or database) but be hard-coded for security reasons. Not doing so might expose you to SQL injection and similar attacks.

To summarize:

  • values are parameters
  • attributes are hard-coded

This is the source code you should adapt to your problem:

QueryCase querycase;
string querytext, attributeName1, attributeName2;

querycase = QueryCase.Alpha; // switch between possible queries

// somewhere later in your code...

switch (querycase)
{
    case QueryCase.Alpha:
        attributeName1 = "attribute1";
        attributeName2 = "attribute2";
    case QueryCase.Beta:
        attributeName1 = "attribute3";
        attributeName2 = "attribute4";
    default:
        throw new NotImplementedException(string.Format("unrecognized query case (was {0})", (int)querycase));
}

querytext = string.Format("select * from table1 where {0}=@1 and {1}=@2", attributeName1, attributeName2);

adp.SelectCommand.CommandText = querytext;

Here, querycase is a hard-coded enum so that you cannot set arbitrary attribute names:

enum QueryCase
{
    Alpha,
    Beta
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thank you , i will see how would that work . im not worried about security problems ATM , im using access for gods sakes :)
If I'd post something that is not secure and opens you up to SQL injection you and the SO community would have all reasons to downvote me, and believe me, I would downvote myself, too! :)
0

There is no result when you compare 2 parameters, your code must be:

adp.SelectCommand.CommandText = "select * from table1 where ColumnName1=@1 and ColumnName2=@2";
adp.SelectCommand.Parameters.AddWithValue("@1", textBox1.Text);
adp.SelectCommand.Parameters.AddWithValue("@2", textBox2.Text);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.