Home/ Questions/Q 9260045
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T12:47:57+00:00

I am developing a search engine within WindowsForms, I’m using VB.Net 2010 and SQL

  • 0

I am developing a search engine within WindowsForms,
I’m using VB.Net 2010 and SQL Server 2008,
My connection is ADO.Net

I experience difficulties in concatenating strings whenever I retrieve records from the database using a textbox, combobox and a radiobutton.

I would like to retrieve record based from the values of those objects,

Dim Condition1 As String = TextBox1.Text
Dim Condition2 As String = ComboBox1.Text
Dim Condition3  As String = RadioButton.Text

When I try to concatenate, I use the operator AND..

SELECT * FROM TableName WHERE (Condition1 AND Condition2 AND Conditon3)

It gives me an error when some objects doesnt have a value.

Incorrect syntax near the word AND.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    NEVER concatenate strings to make queries! use SQL Parameters! The query you posted is prone to SQL Injection.

    Dim query as String = "SELECT * FROM TableName WHERE Column1 = @Column1 AND 
                             Column2 = @Column2 AND Column3 = @Column3"
Dim cmd As SqlCommand
cmd.Parameters.AddWithValue("@Column1", textBox1.Text)
cmd.Parameters.AddWithValue("@Column2", comboBox1.Text)
cmd.Parameters.AddWithValue("@Column3", radioButton1.Text)

    Apart from the above, the conditions you are trying to concatenate are not valid. Anything that comes after the WHERE clause should specify the column name and the value like what I did above. So condition1 should be for example :

    // If the column type is varchar then single quotes must be used
Dim Condition1 As String = String.Format("Name = '{0}'", TextBox1.Text)
    • 0