C# SQL Server query -
this code segment have written in c#. mobile , name columns in table. problem there wrong format of query. syntax correct if want connect 2 queries in c # using or?
sqldataadapter da = new sqldataadapter("select * [contact management] mobile='"+convert.toint32(txtsearch.text)+"' or name='"+txtsearch.text+"'",con);
no, syntax not correct. it's vulnerable sql injection attacks. need build this:
sqlcommand cmd = new sqlcommand("select * [contact management] mobile= @search or name= @search") sqldataadapter = new sqldataadapter(cmd); cmd.parameters.add("@search", sqldbtype.nvarchar, 50).value = txtsearch.text; you write query way:
select * [contact management] @search in (mobile, name)
Comments
Post a Comment