private void searchMulti(string searchType, string searchTerm)
{
{
{
var query = "";
cb_Surname.Items.Clear();
txt_patient_search.Clear();
if (patient_NHSID.Equals(null) != true)
{
pbar_search.Value = 2;
var connectionString = Settings.Default.CMTA_DBConnectionString;
using (var con = new SqlConnection(connectionString))
{
if (searchType != "NHSID")
{
query = @"SELECT * FROM Patient WHERE @p2 = '@p1' ";
}
else
{
query = @"SELECT * FROM Patient WHERE @p2 = @p1";
}
using (var qry_search = new SqlCommand(query))
{
qry_search.Connection = con;
qry_search.Parameters.Add("@p1", SqlDbType.VarChar).Value = searchTerm;
qry_search.Parameters.Add("@p2", SqlDbType.VarChar).Value = searchType;
con.Open();
qry_search.ExecuteNonQuery();
int firstIteration = 0;
using (var rdr = qry_search.ExecuteReader())
{
if (rdr.HasRows)
{
//Found Valid Patient Event
pbar_search.Value = 6;
pbox_tick.Show();
foundValidPatient = true;
////////////////////////////
while (rdr.Read())
{
if (firstIteration == 0)
{
pbar_search.Value = 8;
cb_Surname.Text = rdr.GetInt64(0) + " - " + rdr.GetString(1) + " - " +
rdr.GetString(2);
firstIteration = 1;
}
cb_Surname.Items.Add(rdr.GetInt64(0) + " - " + rdr.GetString(1) + " - " +
rdr.GetString(2));
}
}
else
{
//Patient Not Found
pbox_cross.Show();
patientSelected = false;
foundValidPatient = false;
}
con.Close();
}
}
}
}
else
{
MessageBox.Show("Please Enter Valid Text");
pbar_search.Value = 0;
pbox_cross.Show();
}
}
}
}
The method above isn't working. It should query the SQL Server database for a user entered term (such as textbox value) and query it for a searchtype (firstname) however when debugging the SQL query is executed but no rows are returned.
If I run the command without the parameters and insert actual values i.e (WHERE FirstName = 'Alan') it works perfectly.
What have I done incorrectly with this SQL query?
query = @"SELECT * FROM Patient WHERE @p2 = '@p1' ";
Many thanks!
'@p1'.= 'ALan'is and existing record where as'@p1'is a column name if i'm not mistaken.WHERE @p2 = @p1 ;(p1 = alan, p2= firstname)WHERE 'FirstName' = 'Alan) which is always false.query = @"SELECT * FROM Patient WHERE " + searchType +" = @p1";orquery = String.Format("SELECT * FROM Patient WHERE {0} = @p1", searchType). The table name should be concatenated within query instead of using string comparison by passing table name as parameter value.