2

I call this method on form load ivent GetProducts(" "); This Query works fine in sql. It was working till i added WHERE When i use debugger on this line >> SqlDataReader myReader = cmd.ExecuteReader(); Can anyone advice me something?

 public void GetProducts(string find)
    {
        try
        {
            using (SqlCommand cmd = new SqlCommand("SELECT ID, BarCode, ArtNumber, ProductName, Price, SelfPrice, PriceWithOutAWD, TotalSelfPrice, UnitsInStock, " +
                                                " Comment, InputDateTime, InputQuantity, Margin, CategoryName, TypeName, ExpDate FROM GetProducts"+
                                                "WHERE BarCode LIKE '%@F%' OR ArtNumber LIKE '%@F%' OR ProductName LIKE '%@F%' OR Price LIKE '%@F%' OR Comment LIKE '%@F%' ", 
                                                new SqlConnection(Program.ConnectionString)))
            {
                cmd.Parameters.AddWithValue("@F", find);
                cmd.Connection.Open();

                SqlDataReader myReader = cmd.ExecuteReader();
                while (myReader.Read())
                {

                    ProductTable.Rows.Add
                        (
                        (int)myReader["ID"],
                        myReader["BarCode"].ToString(),
                        myReader["ArtNumber"].ToString(),
                        myReader["ProductName"].ToString(),
                        (decimal)myReader["Price"],
                        (decimal)myReader["SelfPrice"],
                        (decimal)myReader["PriceWithOutAWD"],
                        myReader["TotalSelfPrice"].ToString(),
                        myReader["UnitsInStock"].ToString(),
                        myReader["Comment"].ToString(),
                        myReader["InputDateTime"].ToString(),
                        myReader["InputQuantity"].ToString(),
                        myReader["Margin"].ToString(),
                        myReader["CategoryName"].ToString(),
                        myReader["TypeName"].ToString(),
                        myReader["ExpDate"].ToString()
                        );
                }
                cmd.Connection.Close();
            }
        }
        catch (Exception)
        {
            MessageBox.Show(Program.MsgError1, "Acid", MessageBoxButtons.OK, MessageBoxIcon.Warning);
        }

    }
Improve this question
1
  • Can you specify the error that you are getting Commented Mar 15, 2011 at 12:20

2 Answers 2

Reset to default
5 
... FROM GetProducts"+
"WHERE BarCode LIKE ...

Should be (note additional space between GetProducts and WHERE)

... FROM GetProducts "+
"WHERE BarCode LIKE ...

Also don't use 

WHERE BarCode LIKE '%@F%'

Either Use

WHERE BarCode LIKE '%' + @F + '%'

Or alternatively have the parameter value contain the wild cards and use

cmd.Parameters.AddWithValue("@F", "%" + find + "%"); 
 ...
WHERE BarCode LIKE @F

If you will always be searching with a leading wildcard however you should probably use 

WHERE CHARINDEX(@F,BarCode) > 0

Your query won't be able to use an index anyway and this method avoids issues if the users search for substrings that contain characters that have a special meaning in the pattern syntax.

However from the amount of columns you are searching and the leading wildcards you should probably use full text indexing for this anyway.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@Acid needs more details than that! You also need to add a space before the WHERE
2

It looks like you're trying to reference a parameter inside of a string literal:

WHERE BarCode LIKE '%@F%'

In this case, I think you're stuck concatenating some sql:

" WHERE BarCode LIKE '%" + find +  "%' "

Just make sure you escape any apostrophes from find (and protect yourself from SQL Injection in general):

find = find.Replace("'","''");
Improve this answer

2 Comments

Deleted earlier comment. As I see you are actually suggesting concatenating the executable string. The OP is not stuck doing this. The approaches in my answer definitely work (and without causing potential SQL injection issues)
@Martin - I wasn't aware that would work. Your approach is definitely more robust.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.