How to filter a database?

Question

1.00/5 (1 vote)

See more:

I am trying to filter my database by using False that is in a Column named Submitted. I have the code for creating and displaying the database. I am trying to just filter it by False data. So just trying to display the data that has False in that column. I just can't get the code right for filtering the database. This is my first time trying the method on filtering. I would usually do this by the Gridview in ASP. I Can someone please help?

C#

SqlCommand com2 = new SqlCommand("Select USER_ID, LongName, SUBMITTED, YEAR, DATE from Table12 where SUBMITTED = 'False' and YEAR = '" + TextBoxYEAR.Text + "'", con2);

DataTable dt2 = new DataTable();
            SqlDataReader sqlDataReader2 = com2.ExecuteReader();


            dt2.Load(sqlDataReader2);
            sqlDataReader2.Close();

            GridView dataGridView3 = new GridView();
            GridView3.DataSource = dt2;
            GridView3.DataBind();
            lblCount3.Text = GridView3.Rows.Count.ToString();

What I have tried:

C#

FilterExpression filter1 = new FilterExpression();

Posted 18-Oct-17 4:25am

Computer Wiz99

Updated 18-Oct-17 4:43am

Add a Solution

Comments

ZurdoDev 18-Oct-17 11:03am

Since we cannot see your data, what is it you want us to do?

Computer Wiz99 18-Oct-17 11:06am

What is the best way on using a filter by the code I am using?
I know how to do it on the ASP side using the Grid view Properties but never did it in C# when building the Gridview.

ZurdoDev 18-Oct-17 11:12am

Use parameters as mentioned in solution 1.

Richard Deeming 18-Oct-17 15:04pm

SUBMITTED = 'False'

Why are you storing boolean flags as strings? Use the bit type instead - 0 for false, and 1 for true.

bit (Transact-SQL) | Microsoft Docs[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2017-10-18T04:43:00

Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Then remove the WHERE condition, and see exactly what rows you get back.
If it looks reasonable, add back one half of the WHERE and try again. If that work, add back the other half instead and see what you get.
Remember that AND requires both conditions to be true in order to match a row.

We can't do any of that for you: we have no access to your data!