how to make search of a string in a data base in c#

Question

This is the code that is used to make the search

 private void button1_Click(object sender, EventArgs e)
    {
        string connectionString = Tyre.Properties.Settings.Default.Database1ConnectionString;
        SqlConnection conn = new SqlConnection(connectionString);
        DataTable dt = new DataTable();
        SqlDataAdapter SDA = new SqlDataAdapter("SELECT * FROM table1 where Nom like " + textBox1.Text, conn);
        SDA.Fill(dt);
        dataGridView1.DataSource = dt;
    }

and im getting this error

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

Additional information: Invalid column name 'elie'.

thats a exemple of my application : enter image description here Click here to see the image

score 4 · Accepted Answer · edited May 23 '17 at 12:04

4

First off, your code is wide open to SQL Injection. You allow the user to insert any data he wants including

; DROP TABLE table1

To fix the immediate issue surround the item to be matched with single quotes and % signs:

"SELECT * FROM table1 where Nom like '%" + textBox1.Text + "%'"

However, you absolutely should look into using a parameterized query.

edited May 23 '17 at 12:04

Community

1
1

answered Feb 04 '13 at 20:46

Eric J.

147,927
63
340
553

1

thx bro it works well ... and im using this programe for my owen garage and its not connect to internet ... – Elie M Feb 04 '13 at 20:58

how to make search of a string in a data base in c#

1 Answers1

Linked

Related