TECHNOLOGIES
FORUMS
JOBS
BOOKS
EVENTS
INTERVIEWS
Live
MORE
LEARN
Training
CAREER
MEMBERS
VIDEOS
NEWS
BLOGS
Sign Up
Login
No unread comment.
View All Comments
No unread message.
View All Messages
No unread notification.
View All Notifications
Answers
Post
An Article
A Blog
A News
A Video
An EBook
An Interview Question
Ask Question
Forums
Monthly Leaders
Forum guidelines
sarika sarikaa
NA
60
8.3k
Parameterized query for like clause to avoid sql injection
Apr 26 2018 6:07 AM
private void Form2_Load(object sender, EventArgs e)
{
con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=D:\DATABASE\data.sql.mdf;Integrated Security=True;Connect Timeout=30");
con.Open();
adpt = new SqlDataAdapter(" select * from Tab ", con);
dt = new DataTable("Tab");
adpt.Fill(dt);
DataGridView.DataSource = dt;
DataGridView.Columns["Drawing"].DefaultCellStyle.ForeColor = Color.Blue;
DataGridView.Columns["Drawing"].DefaultCellStyle.Font = new Font(DataGridView.DefaultCellStyle.Font, FontStyle.Underline);
gridview_data();
}
private void TxtSearch_TextChanged(object sender, EventArgs e)
{
try
{
// = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=D:\DATABASE\data.sql.mdf;Integrated Security=True;Connect Timeout=30");
//con.Open();
con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=D:\DATABASE\data.sql.mdf;Integrated Security=True;Connect Timeout=30");
con.Open();
adpt = new SqlDataAdapter(" select * from Tab Where [Part_No] like '%" + TxtSearch.Text + "%' AND [Company_Name] like '%" + TextBox1.Text + "%'", con);
//adpt = new SqlDataAdapter(" select * from Tab Where [Part_No] like '%" + TxtSearch.Text + "%' AND [Company_Name] like '%" + TextBox1.Text + "%'", con);
// SqlCommand sda = new SqlCommand(" select * from Tab Where [Part_No] like '%@Part_No%' and [Company_Name] like '%@Company_Name%'", con);
//sda.Parameters.Clear();
// sda.Parameters.AddWithValue("Part_No", TxtSearch.Text );
//sda.Parameters.AddWithValue("Company_Name", TextBox1.Text );
dt = new DataTable("Tab");
adpt.Fill(dt);
DataGridView.DataSource = dt;
con.Close();
if (dt.Rows.Count <= 0)
{
DataRow row1 = dt.NewRow();
row1[0] = "No Record Found";
dt.Rows.Add(row1);
DataGridView.Rows[0].DefaultCellStyle.BackColor = Color.Yellow;
DataGridView.DefaultCellStyle.Font = new Font("Regular", 12, FontStyle.Regular);
}
else
{
DataGridView.Rows[0].DefaultCellStyle.BackColor = Color.Red;
DataGridView.DefaultCellStyle.Font = new Font("Regular", 12, FontStyle.Regular);
}
if (TextBox1.Text == "" && TxtSearch.Text == "")
{
con.Open();
adpt = new SqlDataAdapter(" select * from Tab ", con);
dt = new DataTable("Tab");
adpt.Fill(dt);
DataGridView.DataSource = dt;
con.Close();
}
}
please give me a query in parameterized form to avod sql injection attack.
Reply
Answers (
1
)
can we use the layout contents inside the view
Object cannot be cast from DBNull to other types