Use textbox.text value

Question

1.00/5 (1 vote)

See more:

this code works well when i put numbe like 20
but when i need to put data from textbox1.text he make me error, it is smothing in syntax not correct

Cmd.CommandText = "select * from table1 where field1= 20 /pre>

<pre>Cmd.CommandText = "select * from table1 where field1= '" & TextBox1.Text & "'"

What I have tried:

Cmd.CommandText = "select * from table1 where field1= '" & TextBox1.Text & "'"

Posted 27-May-20 15:24pm

katkot_rewsh

Updated 9-Jun-20 3:09am

Add a Solution

3 solutions

Solution 1

You don't need the single quotes as you are searching for a numeric value, so that would be:

Cmd.CommandText = "select * from table1 where field1= " & TextBox1.Text

But a word of warning: it is dangerous doing it this way due to the risk of "SQL injection", it's better to use parameterized queries if your code is used by others.
Read about it here:
How do I parameterized the queries of VB.NET code[^]
And here: Using C# to connect to and query from a SQL database | Sander Rossel[^]

Posted 27-May-20 20:00pm

RickZeeland

Updated 27-May-20 20:09pm

v3

Comments

Maciej Los 28-May-20 4:08am

5ed!

katkot_rewsh 28-May-20 6:28am

it works like that
select * from Table1 where Filed1= '" & TextBox1. Text & "'
many thanks

Richard Deeming 28-May-20 15:54pm

Hope you're ready to pay a massive fine when that SQL Injection[^] vulnerability is used to hack your database! A similar vulnerability cost TalkTalk £400,000 back in 2016, so you'll need pretty deep pockets.

Solution 2

select * from Table1 where Filed1= '" & TextBox1. Text & "'"

Posted 28-May-20 0:29am

katkot_rewsh

Comments

phil.o 28-May-20 8:54am

This is the same as what you have tried and which was not correct.
The only decent way is to use a parameterized query:

using (SqlCommand Cmd = ...)
{
   Cmd.CommandText = "SELECT * FROM Table1 WHERE Field1 = @value";
   Cmd.Parameters.Add("@value", SqlDbType.NVarChar).Value = TextBox1.Text;
   // Then execute the command.
}

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

katkot_rewsh · Accepted Answer · 2020-06-09T03:10:00

Solution 3

Cmd.CommandText = "select * from Masterbatch where MBColor = "& Val(ComboBox9.SelectedItem) &""

Posted 9-Jun-20 3:10am

katkot_rewsh

Comments

Richard Deeming 9-Jun-20 10:17am

You really aren't listening, are you?!

Try typing the following in your textbox, and executing your query:

42'; DELETE FROM Masterbatch; --

Now read up on SQL Injection vulnerabilities, and go and fix all of your database code:
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]