问题
This is the code that is used to make the search
private void button1_Click(object sender, EventArgs e)
{
string connectionString = Tyre.Properties.Settings.Default.Database1ConnectionString;
SqlConnection conn = new SqlConnection(connectionString);
DataTable dt = new DataTable();
SqlDataAdapter SDA = new SqlDataAdapter("SELECT * FROM table1 where Nom like " + textBox1.Text, conn);
SDA.Fill(dt);
dataGridView1.DataSource = dt;
}
and im getting this error
An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll
Additional information: Invalid column name 'elie'.
thats a exemple of my application :
Click here to see the image
回答1:
First off, your code is wide open to SQL Injection. You allow the user to insert any data he wants including
; DROP TABLE table1
To fix the immediate issue surround the item to be matched with single quotes and % signs:
"SELECT * FROM table1 where Nom like '%" + textBox1.Text + "%'"
However, you absolutely should look into using a parameterized query.
来源:https://stackoverflow.com/questions/14695282/how-to-make-search-of-a-string-in-a-data-base-in-c-sharp