How to display records by matching the text in a textbox?

https://stackoverflow.com/questions/21690106

09-10-2022
|

Question

I have two tables which is appointment table and medical centre which have relationship with each other using mcID. Right now my appointment form, i use outer join to display the mcCentre in medicalcentre table instead of mcID in the gridview. U see in my form, all medical centre(mcCentre) is displayed in the gridview. But I only want Hwang and Liang Family Clinic record to display as I want to match the text in the textbox which is Hwang and Liang Family Clinic. That means watever hospital text is in the textbox, I ony want that hospital record to appear in the gridview. the textbox name is txtCentre.

enter image description here

 private void LoadAppointmentRecords()
{

    //retrieve connection information info from App.config
    string strConnectionString = ConfigurationManager.ConnectionStrings["SACPConnection"].ConnectionString;
    //STEP 1: Create connection
    SqlConnection myConnect = new SqlConnection(strConnectionString);
    //STEP 2: Create command
    //string strCommandText = "SELECT appointmentID, convert(varchar, aDate, 103) AS aDate, aTime, aStatus, aContact, aHeight, aWeight, patientID, mcID, nurseID FROM APPOINTMENT";

    string strCommandText = "SELECT appointmentID, convert(varchar, aDate, 103) AS aDate, aTime, aStatus, aContact, aHeight, aWeight, pat.pFirstName, pat.pLastName, cen.mcCentre, nur.nUsername FROM APPOINTMENT AS app";
    strCommandText += " LEFT OUTER JOIN PATIENT as pat on app.patientid = pat.patientid";
    strCommandText += " LEFT OUTER JOIN MEDICALCENTRE as cen on app.mcid = cen.mcid";
    strCommandText += " LEFT OUTER JOIN NURSE as nur on app.nurseid = nur.nurseid";
    //strCommandText += " LEFT OUTER JOIN NURSE as nur on app.nurseid = nur.nurseid";

    AppointmentAdapter = new SqlDataAdapter(strCommandText, myConnect);

    //command builder generates Select, update, delete and insert SQL
    // statements for MedicalCentreAdapter
    //SqlCommandBuilder cmdBuilder = new SqlCommandBuilder(AppointmentAdapter);
    // Empty Employee Table first
    Appointment.Clear();
    // Fill Employee Table with data retrieved by data adapter
    // using SELECT statement
    AppointmentAdapter.Fill(Appointment);

    // if there are records, bind to Grid view & display
    if (Appointment.Rows.Count > 0)
        grdApp.DataSource = Appointment;
}

Solution

Add this code to your string... This will match whatever is in your txtCentre.Text even when the text is not completely typed yet, just matching a few characters or words would do.

 strCommandText += " WHERE mcCentre like '%" + txtCentre.Text.Replace("'", "''").Trim() + "%'";

This will match whatever is in txtCentre.Text exactly...

strCommandText += " WHERE mcCentre like '" + txtCentre.Text.Replace("'", "''").Trim() + "'";

Adding .Replace("'", "''").Trim() to your Text should help you avoid SQL injection without using parameters, but if you want to use parameters, you can follow Jon Barker's method :)

OTHER TIPS

Bear in mind you're exposing yourself to SQL injection attacks with this method. I'd recommend using an ORM such as entity framework. If you still want to work with direct SQL as chris_techno25 posted, then always use parameters, as opposed to directly embedding the string from the user, unsanitised.

http://www.dotnetperls.com/sqlparameter

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow