With a connection object open we now need a command object to retrieve the records.
We’ll declare an OledbCommand variable that’s fit for the purpose of holding a command object.
After declaring the command variable we need to create a command object. We’ll create our Command object using the New Keyword and at the same time the Command object accepts 2 parameters namely the SQL Statement and the connection object. The connection object holds all the connection information to the database that our command object needs.
Once we’ve created our command object we can assign it to our command variable ‘command’.
You’ll notice that our Command object's SQL query accepts a parameter '@LastName'. The parameter is retrieved from the text property of the textbox control and the @LastName parameter is passed into the SQL statement simply by using the @ symbol prefix followed by the text LastName.
Rather than use a parameterised query we could have created our Command object and passed in the value entered into the textbox ‘textbox1’ directly into our SQL query.
Choosing this method exposes our application to SQL Injection attacks. A malicious user could simply enter SQL statements directly into the textbox that would continue and form part of the SQL query or create extra SQL queries. Using parameterized queries we can ensure that the data entered into the textbox is treated as field data for comparison purposes and not directly part of the SQL statement.
<< Searching Records with ASP.NET Part 1 |
Searching Records with ASP.NET>> Part 3 |
Get the best asp web hosting provider now and save 30%
Plug and play ASP membership script that integrates with PayPal to let you charge recurring membership fees.
