|
-
Dec 13th, 2004, 11:13 AM
#3
Banned
Re: conditional select statement
 Originally Posted by Mike Hildner
Not sure if this will help, had to do something similar just the other day. In my case, I had to build a WHERE clause if certain text boxes where filled in. Not sure if this is even the right way to do it, but it seems to work anyway.
Code:
string sql = "SELECT [Name], DOB, SSN FROM MasterName " +
"WHERE [Name] LIKE @Name";
// Add the DOB clause if filled in.
if (tbDOB.Text != "")
{
sql += " AND DOB = " + tbDOB.Text;
}
// Add the SSN clause if filled in.
// Not really sure why I had to put single quotes around SSN
// and not DOB, but if you remove, it results in bad SQL.
if (tbSSN.Text != "")
{
sql += " AND SSN = '" + tbSSN.Text + "'";
}
// Add the order by clause.
sql += " ORDER BY [Name], DOB";
If you give a little more details - like the variations you have to come up with, that would help.
Dynamic SQL is very bad practice. This should be a stored procedure. Not only is dynamic sql a problem with sql injection but it destroys the security involved with the entire schema.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote