0

I'm trying to search an employee record but i'm getting this error message:

An expression of non-boolean type specified in a context where a condition is expected, near 'OR'.

This is the code I'm using:

sConn = new SqlConnection(sStr);

daEmp2 = new SqlDataAdapter("
SELECT employee.*,
       department.Department
FROM tblEmployee employee
INNER JOIN tblDepartment department ON employee.DeptID=department.DeptID
WHERE Lname OR Fname LIKE '%" + txtName.Text + "%'
", sConn);

dsEmp2 = new DataSet();
daEmp2.Fill(dsEmp2, "tblEmployee");

is there something wrong with my query?

wvdz
  • 16,251
  • 4
  • 53
  • 90
user2971155
  • 195
  • 2
  • 4
  • 11
  • 1
    Warning: Your code is vulnerable to SQL Injection Attacks. Do not simply concatenate strings to form SQL Statements. Instead, use parameters. – NYCdotNet Nov 17 '13 at 00:13

3 Answers3

4

or connects boolean conditions in SQL -- conditions that evaluate to true or false.

You need to repeat the condition:

Lname LIKE '%" + txtName.Text + "%'" OR Fname LIKE '%" + txtName.Text + "%'"
Gordon Linoff
  • 1,242,037
  • 58
  • 646
  • 786
3

Your query contains a syntactical error because you don't provide an operator and a comparison value for the Lname field 

...  where Lname ??????? OR Fname LIKE ...

After the Lname you should add an operator (=, LIKE...) and a comparison value to allow the evaluation of the expression

...  where Lname LIKE 'AName' OR Fname LIKE ...

Apart from this, please remove the string concatenation used for the FName value and use a parameterized query

For example

 using(sConn = new SqlConnection(sStr))
 using(daEmp2 = new SqlDataAdapter("SELECT employee.*,department.Department " + 
                            "FROM tblEmployee employee inner join tblDepartment department " + 
                            "on employee.DeptID=department.DeptID " + 
                            "where Lname LIKE @last OR Fname LIKE @first", sConn))
 {
      daEmp2.SelectCommand.Parameters.AddWithValue("@last", "%" + LastNameTextBox.Text + "%");
      daEmp2.SelectCommand.Parameters.AddWithValue("@first", "%" + txtName.Text  + "%");
      dsEmp2 = new DataSet();
      daEmp2.Fill(dsEmp2, "tblEmployee");
 }

Using a parameterized query avoid the possibility of Sql Injection, a security problem really easy to leverage as you can see from this very famous comic strip

Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286
0

You need to use twice LIKE expression:

"SELECT .....  WHERE Lname LIKE '%" + txtName.Text + "%' OR Fname LIKE '%" + txtName.Text + "%'"
Ed Ganiukov
  • 91
  • 4