0

This is code segment that I have written in C#. Mobile and Name are columns in my table. The problem is that there is something wrong with format of my query. Is the syntax correct if we want to connect two queries in C # using OR?

SqlDataAdapter da = new SqlDataAdapter("SELECT * FROM [Contact Management] WHERE
         Mobile='"+Convert.ToInt32(txtSearch.Text)+"' OR Name='"+txtSearch.Text+"'",con);
Improve this question
3
  • 4
    Not correct at all you should not have the txtSearch.Text wrapped around any quotes what so ever.. I would personally look into using Parameterized Query as well Commented May 13, 2013 at 21:14
  • but if I remove the code segment after OR then it is working....that is after removing the OR part I can atleast select where mobile= some value...so the quotes is not creating any problem I think so.... Commented May 13, 2013 at 21:17
  • 1
    you need to use parameters to insert user data into sql queries... Commented May 13, 2013 at 21:20

2 Answers 2

Reset to default
9

No, that syntax is not correct. It's vulnerable to sql injection attacks. You need to build it like this:

SqlCommand cmd = new SqlCommand("SELECT * FROM [Contact Management] WHERE
     Mobile= @Search OR Name= @Search")
SqlDataAdapter = new SqlDataAdapter(cmd);
cmd.Parameters.Add("@Search", SqlDbType.NVarChar, 50).Value = txtSearch.Text;

You could also write the query this way:

SELECT * FROM [Contact Management] WHERE @Search IN (Mobile, Name)
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

keeping the sql injection part aside is there any way without using parametrized queries.... I am a beginner so it is very difficult to understand....
Parameterized queries are the only acceptable way to do this without running in sql injection issues, and I won't help you write vulnerable code.
5

As usual, never use string concatenation to build sql command. Use parametrized queries

string query = "SELECT * FROM [Contact Management] WHERE Mobile=@mobile OR Name=@name";
SqlCommand cmd = new SqlCommand(query, con);
cmd.Parameters.AddWithValue("@mobile", Convert.ToInt32(txtSearch.Text));
cmd.Parameters.AddWithValue("@name", txtSearch.Text);
SqlDataAdapter da= new SqlDataAdapter (cmd);

The parametrized query will save your database from Sql Injection Attacks, but also from problems in parsing your input text. What if in the search text you have a single quote? You will get a syntax error with concatenation.

However, let me say that your code will fail before this. If you have a number in your txtSearch, then everything will work, but if you have a string. converting to a number with Convert.ToInt32 will fail. Better to use

SqlCommand cmd = new SqlCommand();
string query;
int numSearch;
if(Int32.TryParse(txtSearch.Text, out numSearch))
{
   query = "SELECT * FROM [Contact Management] WHERE Mobile=@p1";
   cmd.Parameters.AddWithValue("@p1", numSearch);
}
else
{
   query = "SELECT * FROM [Contact Management] WHERE Name=@p1";
   cmd.Parameters.AddWithValue("@p1", txtSearch.Text);
}
cmd.CommandText = query;
....
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.