0

I am currently creating a win form based tool in Visual Studio 2019 that reads data from a SQL database. I am having difficulty when pulling a field from the form I am working in into the sqlCommand query.

This is part of my VB script. Note that this works fine without the Surname like filter, it also works if i write it with a hard-coded surname, such as 'Adams'. I can also get the same logic to work using variables directly in SQL. The message pop-up displays 'Adams' as expected but nothing is returned in the data-grid.

Screen-shots below of the result of running the form as desired and when hard-coded to 'Adams'.

Thanks in advance for any help :)

Public Class Form4
Public Sub BtnFetchAdastraUser_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnFetchAdastraUser.Click

    Dim connetionString As String = "Data Source=xxxxxx;Initial Catalog=xxxxxx;User ID=xxxxx;Password=xxxxx"
    Dim dt As New DataTable()

    Using connection As New SqlConnection(connetionString)
        Dim command As New SqlCommand(
                                        "select 
                                            [u].[UserRef],
                                            [u].[UserName],
                                            [u].[FullName]
                                        from dbo.[Users][u]
                                        where
                                            [Obsolete] = 0
                                                and [Surname] like '%" + Surname.Text + "%'", connection
                                      )
        command.Connection.Open()
        Dim sqlAdaptr As New SqlDataAdapter(command)
        Dim ds As New DataTable
        sqlAdaptr.Fill(ds)
        DataGridView1.DataSource = ds

        MsgBox(Surname.Text)

        command.Connection.Close()
    End Using
End Sub

End Class

enter image description here

enter image description here

Improve this question

2 Answers 2

Reset to default
0

I figured it out. I ran command.CommandText through my MsgBox and it highlighted the below issue with what I was passing through in the query!

I'd added text to the front of the field I was passing through.

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It is recommended that you use parameters to write SQL query statements. It can be changed as follows:

    Using connection As New SqlConnection(connetionString)
        connection.Open()
        Dim command As New SqlCommand(
                                        "select 
                                        [u].[UserRef],
                                        [u].[UserName],
                                        [u].[FullName]
                                    from dbo.[Users][u]
                                    where
                                        [Obsolete] = 0
                                            and [Surname] like @Surname", connection
                                      )
        command.Parameters.Clear()
        command.Parameters.AddWithValue("@Surname", "%" & Surname.Text & "%")

        Dim sqlAdaptr As New SqlDataAdapter(command)
        Dim ds As New DataTable
        sqlAdaptr.Fill(ds)
        DataGridView1.DataSource = ds

        MsgBox(Surname.Text)
        MsgBox(command.CommandText)

        command.Connection.Close()
    End Using
Improve this answer

2 Comments

Using parameters: not just recommended but mandatory practice. All it takes to crash this code is a surname like O'connor. Besides, the input from a textbox should be sanitized, use the trim function to eliminate possible whitespace. When doing copy-paste, extra spaces, tabs, carriage returns sneak in frequently.
Yes, here, Surname.Text can be anything and it could break the query if it has ' in it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.