-3

Hello friend i need help i have two column (Brand Model) i need when i find the data from my table through text boxes then show this data already available in the following row 

Dim cmd As New SqlCommand
        cmd.Connection = cn
        cmd.CommandText = "SELECT * FROM Table_3 WHERE Brand,Model='" & TextBox5.Text & " and" & TextBox6.Text & "'"
        Dim adapter As New SqlDataAdapter(cmd)
        Dim table As New DataTable()
        adapter.Fill(table)
        If table.Rows.Count() > 0 Then
            ' TextBox_1.Text = table.Rows(0)(0).ToString()
            MessageBox.Show("this data already available")
        Else
            MessageBox.Show("not available")
        End If
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
jabar khan
  • 1
  • 2
  • 4
    You need to learn about parameterised queries, otherwise you're open to [SQL Injection](https://en.wikipedia.org/wiki/SQL_injection) – freefaller Dec 09 '19 at 17:07
  • send me the example – jabar khan Dec 09 '19 at 17:08
  • Correct my Code – jabar khan Dec 09 '19 at 17:16
  • 2
    That is some deadly code =). What freefaller is trying to say is, what happens when someone enters `' ; drop table Table_3 --` into TextBox5? – Jason Dec 09 '19 at 17:20
  • SQL injection is a rampant and easily avoidable problem. You should address that first. To answer your question, your syntax is incorrect. The correct syntax for what you are trying to do is: `where brand = 'x' and model = 'y'` – Jason Dec 09 '19 at 17:25
  • 1
    *send me the example* - see [Why do we always prefer using parameters in SQL statements?](https://stackoverflow.com/q/7505808) and [How do I re-write a SQL query as a parameterized query?](https://stackoverflow.com/q/25820944). – dbc Dec 09 '19 at 18:02

1 Answers1

2

Your SQL string was wrong, try this.

Use parameters instead of concatenating

Dim cmd As New SqlCommand
With cmd
  .Connection = cn
  .CommandText = "SELECT * FROM Table_3 WHERE Brand = @Brand AND Model= @Model"
  .Parameters.AddWithValue("@Brand", TextBox5.Text)
  .Parameters.AddWithValue("@Model", TextBox6.Text)
End With
Dim adapter As New SqlDataAdapter(cmd)
Dim table As New DataTable()
adapter.Fill(table)
If table.Rows.Count() > 0 Then
  ' TextBox_1.Text = table.Rows(0)(0).ToString()
  MessageBox.Show("this data already available")
Else
  MessageBox.Show("not available")
End If
LarsTech
  • 80,625
  • 14
  • 153
  • 225
Heitor Badotti
  • 167
  • 10