Can anybody help me for the syntax of select query?

Question

i`m doing

string sql = "select * from publisher where title like "'"+tbproperty.text+";

but it`s not working!

regards..

Answer 1

Use SqlParameter:

SqlCommand cmd = new SqlCommand("select * from publisher where title like @title");
cmd.Parameters.AddWithValue("@title", tbProperty.Text);

If you need to add more to the parameter, then do the following (E.g.: output parameter):

SqlParameter param = new SqlParameter("@param ", SqlDbType.NVarChar, 250) { Direction = ParameterDirection.Output };
cmd.Parameters.Add(param);

This means you don't need to build the string per se and stops SQL injection.

Answer 2

With LIKE, if you expect begin/ends matches you need some wildcards such as '%', and I'm assuming that the user isn't adding those; but - important: don't concatenate user input. Ever; you want something like:

sql = "select * from publisher where title like @arg";

With @arg defined as a parameter, with value something like:

cmd.Parameters.AddWithValue("@arg", "%" + tbproperty.text + "%");

Answer 3

Correction..

string sql = "select * from publisher where title like '" + tbproperty.text + "'";