i want attach dataset parameterized query. user entering value in text box hit submit button.
i have created text field , click button event :
private void btn_getprojdetails_click(object sender, eventargs e) { string userenteredprojid = tab3projidinput.text; } but don't know how use userenteredprojid variable in query?
i haven't tried manually coding data-connections path. instead added gui in vs2012 add data source. using data source have learned can add datasets, , use these datasets drag , drop in our form. created dataset , dataset toolbox, added table , created query don't know how use userenteredprojid in query here.
you never want insert value user sql query because huge sql injection risk. better use parameters, , better still if validation on parameters before using them. here basic example of using command parameter.
using (cmd command = new sqlcommand()) { string sql = "select * table projid=@userenteredprojid"; cmd.connection = conn; cmd.commandtype = commandtype.text; cmd.commandtext = sql; cmd.parameters.addwithvalue("userenteredprojid", your_value_here); sqldatareader reader = command.executereader(); while (reader.read()) { //do something; } } 
Comments
Post a Comment