I’m trying to setup a simple C# form to search one of our SQL databases. I keep getting a ‘SQLException was Unhandled’ error when I try to debug. I know the SQL statement works, I can run it just fine on my server. I think it’s a problem with the way that I am trying to input the data from the TextBox. Can someone give me some guidance?
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace USER_Lookup
{
public partial class Search : Form
{
DataSet ds = new DataSet();
SqlConnection cs = new SqlConnection("Data Source=PC01; Initial Catalog=DB01; Integrated Security=TRUE");
SqlDataAdapter da = new SqlDataAdapter();
public Search()
{
InitializeComponent();
}
private void button_Search_Click(object sender, EventArgs e)
{
string badgeCode = textBox_badgeCode.Text.Trim();
da.SelectCommand = new SqlCommand
("SELECT db01.dbo.staff.lastname AS 'Last Name', db01.dbo.staff.firstname AS 'First Name', db01.dbo.staff.badgecode AS 'User ID', db01.dbo.staffrole.name AS 'Role' FROM db01.dbo.staff, db01.dbo.staffrole, db01.dbo.staff_staffrole WHERE db01.dbo.staff.badgecode =" + badgeCode + "AND db01.dbo.staff.id = db01.dbo.staff_staffrole.staff_id AND db01.dbo.staff_staffrole.staffrole_id = db01.dbo.staffrole.id", cs);
ds.Clear();
da.Fill(ds);
dg.DataSource = ds.Tables[0];
}
}
}
No space here
Also here you use
maclive.dbo.staff.lastnamebut there is no FROM or JOIN for this database(typo?)
And, if
db01.dbo.staff.badgecodeis a varchar field then you need single quotes around your badgeCode variable. However, string concatenation to form a SQL command is the sure path to Sql Injection attacks.Change your code to use parameters