Implementing database search

c# mysql sql search select
10,842

I think you should consider three things
1- You may replace OR with And in your query
I mean instead of using

da = new MySqlDataAdapter(
"SELECT * FROM data INNER JOIN country ON id_data = id_country 
 WHERE name like '" + textBox1.Text + 
"'OR lastname like '" + textBox2.Text + 
"'OR sex like '" + radiob + 
"'OR birthdate like '" + maskedTextBox1.Text + 
"'OR phone
_number like '" + maskedTextBox2.Text + "' ;", conn);

You may use 

 da = new MySqlDataAdapter(
 "SELECT * FROM data INNER JOIN country ON id_data = id_country 
 WHERE name like '" + textBox1.Text + 
 "'AND lastname like '" + textBox2.Text + 
 "'AND sex like '" + radiob + 
 "'AND birthdate like    '" + maskedTextBox1.Text + 
 "'AND phone_number like '" + maskedTextBox2.Text + "' ;", conn);

2- You have to build your query string based on your text boxes and else seeing if they have any value, something like this:

StringBuilder Query = "SELECT * FROM data INNER JOIN country ON id_data = id_country 
     WHERE 1=1 ";
if(!String.IsNullOrEmpty(textBox1.Text))
  Query.Append(" AND name like '" + textBox1.Text);
....

3- Sql Injection vulnerabilities

Share:
10,842
Chris
Author by

Chris

Updated on June 04, 2022

Comments

  • Chris
    Chris almost 2 years

    I use mysql as database where I store my data.

    I have a windows form with textboxes radiobuttons, comboboxes and more; where people give personal information about themselves like (first name, last name, sex, date birthday, phone, father name and more like this). (40 fields total)

    I want to do a search button. With this button I want to fill some fields and after I push the search button a new window be opened containing all people with same personal information. I achieved to do a search button for one field (for example searching only by name).

    But I have a problem when I select to search with more than one fields. For example I select to search all people who have name:Chris, Nickname:Dung, sex:Male, Birth_Country:UK and other but when I push search it gives back a window with irrelevant with the search data. Can someone help me with that?

    The code I made for the search button after changes is:

    public MySqlDataAdapter da;
public DataSet ds;
public string sTable = "data";

private void anazitisi_button_Click(object sender, EventArgs e)
        {
            Form2 form2 = new Form2();
            try
            {
                conn = openconnectio.GetConn();

                string radiob = null;                               
                if (radioButton1.Checked == true)
                {
                    radiob = radioButton1.Text;
                }
                else if(radioButton2.Checked == true)
                {
                    radiob = radioButton2.Text;
                }

                StringBuilder Query = new StringBuilder("SELECT * FROM data d INNER JOIN country c ON d.id_data = c.id_country WHERE 1=1 ");
                if (!String.IsNullOrEmpty(textBox1.Text))
                    Query.Append(" AND name like '" + textBox1.Text + "'");
                if (!String.IsNullOrEmpty(textBox2.Text))
                    Query.Append(" AND lastname like '" + textBox2.Text + "'");
                if (!String.IsNullOrEmpty(radiob))
                    Query.Append(" AND sex like '" + radiob + "'");
                if (!String.IsNullOrEmpty(maskedTextBox1.Text))
                    Query.Append(" AND birthdate like '" + maskedTextBox1.Text + "'");
                if (!String.IsNullOrEmpty(maskedTextBox2.Text))
                    Query.Append(" AND phone_number like '" + maskedTextBox2.Text + "'");

                MySqlDataAdapter da = new MySqlDataAdapter(Query.ToString(), conn);
                ds = new DataSet();
                da.Fill(ds, sTable);
                conn.Close();
            }
            catch (MySql.Data.MySqlClient.MySqlException ex)
            {
                MessageBox.Show(ex.Message);

            }
            finally
            {
                DataGridView dg1 = new DataGridView();
                form2.Controls.Add(dg1);
                dg1.Dock = DockStyle.Fill;

                dg1.Refresh();
                dg1.DataSource = ds;
                dg1.DataMember = sTable;

                form2.Show();

                if (conn != null)
                {
                    conn.Close();
                }
            }
        }

    My results after search is fine when i comment that code:
    (birthdate code) and i dont used as search of course.

            //if (!String.IsNullOrEmpty(maskedTextBox1.Text))
        //    Query.Append(" AND birthdate like '" + maskedTextBox1.Text + "'");

    But when i use the (birthdate code) i get us result only a blank row.
    I think because the birthdate maskedTextbox have a mask: 00/00/0000
    Any suggestion?
    Thanks.

  • Just Aguy
    Just Aguy about 11 years
    @Chris The two answers above both have merit in their approach. The stored procedure here is a very good alternative if you want to return null value match but that's not really the idea behind a search. It also introduces you to another area of complexity, stored procedure programming, and being a beginner these approaches will overwhelm you.
  • Just Aguy
    Just Aguy about 11 years
    @Chris This one fits in with your current code and further refines the query. However it may be too restrictive on it's matching. Give this a shot and see what you come out with.
  • Chris
    Chris about 11 years
    @JustAguy Well i changed the code. I changed OR with AND but now i have to fill all the fields to get a result. When i fill only the name field i get nothing as a result. What i have to do if i want to get all the people with name = Chris for example??
  • Matt Busche
    Matt Busche about 11 years
    @Chris if a form field was not filled in then you need to not add that to your SQL query - option 2 of M.Heydari's answer covers this
  • Chris
    Chris about 11 years
    @sarshong eng. Can you do an example with my variables? Because i can't understand exactly what you want to do. (Sorry i am new in programming).
  • Harry Sarshogh
    Harry Sarshogh about 11 years
    Ok sir, I change this response by your variable and please also if it useful you can set score for response to this fourm

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Multiple inner joins with different where-conditions
SELECT all (but one column as null)
SQL COUNT with WHERE clause
MySQL: Look for the same string in multiple columns
Selecting DISTINCT where not null in MySQL
MySql Syntax error: You have an error in your SQL syntax near '' at line 1
Select all rows that have column value larger than some value
Date Difference Logic in LINQ
MySQL: SELECT highest column value when WHERE finds similar entries
SQL - Select where parameter A is one of multiple values and parameter B is equal