Don't do it like that!
Member 14680372 wrote:
string sql = " select * from comboboxnew where code = '" + comboBox1.SelectedItem + "';";
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
private void ComboBox1_SelectionChanged(object sender, SelectionChangedEventArgs e)
using (SqlConnection con = new SqlConnection("Data Source=LEAN-22\\SQLEXPRESS;Initial Catalog=LUAT;Integrated Security=True"))
using (SqlCommand cmd = new SqlCommand("SELECT TOP 1 * FROM comboboxnew WHERE code = @code;"))
using (SqlDataReader myreader = cmd.ExecuteReader(CommandBehavior.CloseConnection))
string code = myreader.GetInt32(0).ToString();
string pieces = myreader.GetInt32(1).ToString();
string layers = myreader.GetInt32(2).ToString();
string productionpieces = myreader.GetInt32(3).ToString();
string seccond = myreader.GetInt32(4).ToString();
txtcode.Text = code;
txtpieces.Text = pieces;
txtlayers.Text = layers;
txtproductionpieces.Text = productionpieces;
txtseccond.Text = seccond;
} NB: You should avoid using
SELECT * FROM ...; instead, specify the exact list of fields you want to load.
You'll need to check that
Convert.ToString(comboBox1.SelectedItem) returns the value you're expecting. If it's a data-bound list, it might return something like
"System.Data.DataRowView" instead, in which case you'll need to do some more work to get the real value.
And you should avoid hard-coding your connection strings. Store them in a configuration file instead. For example:
How to: Read Connection Strings from the Web.config File | Microsoft Docs[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."