Textbox displays value from access

Question

Hi I'm new to C# and I have a windows form with a textbox Barcode_txtBx and a button Search_btn which filters records in a Data Table dt to one record and have another textbox Manufacturer_txtBx to display the data table column Manufacturer. I can do the filtering but I can't find a way to display the relevant column in the textbox Manufacturer_txtBx. This is the code I have so far.

private void Search_btn_Click(object sender, EventArgs e)
{
        connection.Open();
        OleDbCommand command = new OleDbCommand();
        command.Connection = connection;
        command.CommandText = "Select * from BookInTable where Barcode = '" + Barcode_txtBx.Text + "'";
        OleDbDataReader reader = command.ExecuteReader();
        DataTable dt = new DataTable();
        dt.Load(reader);          
        Manufacturer_txtBx.Text = "";
        connection.Close();
}

At the moment Manufacturer_txtBx is displaying an empty string just so I don't get an error

A `DataTable` usually implies there are multiple rows in the result, but I'm assuming you have just one. I suggest you look at the MSDN documentation for `DataTable` and it's `Rows` property. Also, if you just want the manufacturer for a single row consider `SELECT`ing just that column instead of `*`, and do `ExecuteScalar` instead of `ExecuteReader`. — Crowcoder, May 06 '17 at 11:43
Additionally, you are wide open to SQL injection. Do you know what would happen if someone typed this into the barcode box? : `123'; DELETE FROM [BookInTable]; --`. You can mitigate this by [parameterizing your query.](http://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) — Crowcoder, May 06 '17 at 11:48
The database initially has multiple records but only has one in the DataTable after the filter and realistically the relevant data gets outputted to 5 different text boxes(Manaufaturer, Type, Model, PartNumber and AdditionalNotes). But for ease I'm only concentrating on one. I'm just learning C# at the moment while I'm of work ill after a stroke and realistically just to keep my brain busy and improve my cognitive ability. So this database is never going to be used. I would think putting an input mask on the textbox would stop SQL injection but I haven't tried at this moment. — Paul Sharrock, May 06 '17 at 12:14
@Crowcoder With Access you can't leverage that kind of Sql Injection because Access doesn't support multiple commands. Nevertheless you are correct. It is of uttermost importance to learn how to sanitize database inputs using the correct approach. Parameters. — Steve, May 06 '17 at 12:22

score 0 · Answer 1 · answered May 06 '17 at 15:01

This works to add the data to the TextBoxes

     private void Search_btn_Click(object sender, EventArgs e)
    {
        connection.Open();

        OleDbCommand command = new OleDbCommand();
        command.Connection = connection;
        command.CommandText = "Select * from BookInTable where Barcode = '" + Barcode_txtBx.Text + "'";
        OleDbDataReader reader = command.ExecuteReader();

        DataTable dt = new DataTable();

        dt.Load(reader);
        string data = dt.ToString();

        Manufacturer_txtBx.Text = dt.Rows[0].ItemArray[5].ToString();
        Type_txtBx.Text = dt.Rows[0].ItemArray[6].ToString();
        Model_txtBx.Text = dt.Rows[0].ItemArray[7].ToString();
        PartNumber_txtBx.Text = dt.Rows[0].ItemArray[8].ToString();
        AdditionalDetails_txtBx.Text = dt.Rows[0].ItemArray[13].ToString();
        connection.Close();

    }

Crowcoder and Steve are right that this is not sanitised in any way and any working database should be.

Textbox displays value from access

1 Answers1