In C# how to get value from text box using quotes

Question

In my program i need to get value from the database , so using a texbox so that client type anything and i can search from database.

My code is

 SqlCommand sqlcmd = sqlcon.CreateCommand();
 sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = " + textBox_cardNumber.Text;

the above is not my full code but here in my code i am using textbox_cardNumber ...

I want that in quotes ''

it should be like

Select distinct transactionName from dbo.tbl where terminalId = '0097'

So my question is how to get in quotes???

You are highly susceptible to SQL injection. Use paramaterized queries.... — squillman, Aug 28 '13 at 12:22

score 6 · Accepted Answer · edited May 23 '17 at 10:32

Use a parameterized query like this

SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl " + 
                     "where terminalId = @id";

sqlCmd.Parameters.AddWithValue("@id",  textBox_cardNumber.Text);
....

In this way you defer the job to recognize your data (the textbox text) as a string to the Framework code that knows how to correctly quote your value. Also you remove the possibilities of Sql Injection attacks

Dominic B. · Answer 2 · 2013-08-28T12:31:20.743

4

  "'" + textBox_cardNumber.Text + "'";

I hope I understood you!

edited Aug 28 '13 at 12:31

answered Aug 28 '13 at 12:25

Dominic B.

1,897
1
16
31

`it should be like Select distinct transactionName from dbo.tbl where terminalId = '0097'` single quotes, not double. – Don Thomas Boyle Aug 28 '13 at 12:27
Yeah, saw it just when you said. Sorry! – Dominic B. Aug 28 '13 at 12:31
Why don't you use the Parameters property of the Sqlcommand itself? – Florian Aug 28 '13 at 12:38
@thefiloe It is not the best way to do it, I know! It was just as I read the question, I did not exactly watch the problem on SQL. – Dominic B. Aug 28 '13 at 12:44
1

Well. So you'd better do something like this: `String.Format("...'{0}'...", textBox_cardNumber.Text)` – Florian Apr 19 '14 at 12:03

score 1 · Answer 3 · answered Aug 28 '13 at 12:23

1

You can also try this, but this is not good practice, used always Parameter.

sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = '" + textBox_cardNumber.Text +"'";

answered Aug 28 '13 at 12:23

Amit

15,217
8
46
68

score 1 · Answer 4 · answered Aug 28 '13 at 12:28

1

You can try this code:

SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "Select distinct transactionName from dbo.tbl where terminalId = '"
+  textBox_cardNumber.Text+"'";

answered Aug 28 '13 at 12:28

Arun Chandran Chackachattil

3,356
7
31
45

score 0 · Answer 5 · answered Aug 28 '13 at 12:23

Instead of string concatenation, you ~~can~~ should use parameterized sql instead. Because this kind of codes are open for SQL Injection attacks.

SqlCommand sqlcmd = sqlcon.CreateCommand();
sqlcmd.CommandText = "SELECT DISTINCT transactionName FROM dbo.tbl
                      WHERE terminalId = @terminalID";

sqlcmd.Parameters.AddWithValue("@terminalID", textBox_cardNumber.Text);

A side note, take a look at SQL Injection Attacks by Example

score 0 · Answer 6 · answered Aug 28 '13 at 12:24

0

You need to make use of prepared statements in which you use parameters.

Otherwise, you need to add quotes around your input string, but it will leave you open for SQL injection

answered Aug 28 '13 at 12:24

nl-x

11,762
7
33
61

In C# how to get value from text box using quotes

6 Answers6