I am trying to get top 3 safety data row according to equipment and plant selection from database. Now I could get top 3 safety value from database with equipment and plant selection and insert to textbox.
When I wrote "' or Safety '" + textbox.text + it is getting other plant and equipment selections
x
sqlcon1.Open();SqlDataAdapter Data = new SqlDataAdapter (@"select * from ****** Where " + "[Equipment Type]='" + equipmenttype_combobox.Text.Trim() + "' and Plant='" + plant_combobox.Text.Trim() + "' and Safety= '" + firstsafety_textbox.Text.Trim() + "' or Safety='" + secondsafety_textbox.Text.Trim() + "' or Safety='" + thirdsafety_textbox.Text.Trim() + "'", sqlcon);DataTable dt1 = new DataTable();SqlDataAdapter db1 = new SqlDataAdapter();Data.Fill(dt1);datagridview1.DataSource = dt1;sqlcon1.Close();Advertisement
Answer
Keep your sql been readable with a help of verbatim strings and string interpolation and many an error will be evident. Here you should either wrap Safety = ... or Safety = ... in parenthesis (Safety = ... or Safety = ... ) or use in construction Safety in (...).
Quick but dirty amendment is
string sql = $@"select * from Makerinfo where [Equipment Type] = '{equipmenttype_combobox.Text.Trim()}' and [Plant] = '{plant_combobox.Text.Trim()}' and [Safety] in ('{firstsafety_textbox.Text.Trim()}', '{secondsafety_textbox.Text.Trim()}', '{thirdsafety_textbox.Text.Trim()}')";SqlDataAdapter Data = new SqlDataAdapter(sql, sqlcon1);However, this implementation has at least 3 flaws:
- It’s prone to SQL Injection
- It will crash on
equipmenttype_combobox.Text = "Browns' equipment"(note apostroph) - For different plants, you have different queries which should be parsed, optimized etc.
Much better aproach is parametrized query:
string sql = $@"select * from Makerinfo where [Equipment Type] = @prm_Equipment and [Plant] = @prm_Plant and [Safety] in (@prm_Safety_1, @prm_Safety_2, @prm_Safety_3)";using (SqlCommand q = new SqlCommand(sql, sqlcon1)) { // I don't know the underlying RDMBS types, that's why I've put AddWithValue //TODO: change AddWithValue to Add and provide the right rdbms type // Something (and most probably) like // q.Parameters.Add("@prm_Equipment", SqlDbType.VarChar).Value = // plant_combobox.Text.Trim(); q.Parameters.AddWithValue("@prm_Equipment", equipmenttype_combobox.Text.Trim()); q.Parameters.AddWithValue("@prm_Plant", plant_combobox.Text.Trim()); q.Parameters.AddWithValue("@prm_Safety_1", firstsafety_textbox.Text.Trim()); q.Parameters.AddWithValue("@prm_Safety_2", secondsafety_textbox.Text.Trim()); q.Parameters.AddWithValue("@prm_Safety_3", thirdsafety_textbox.Text.Trim()); using (var reader = q.ExecuteReader()) { DataTable dt1 = new DataTable(); dt1.Load(reader); datagridview1.DataSource = dt1; }}