Share via

Unclosed quotation mark after the character string ''. Incorrect syntax near ''. How to resolve this while search function using like operator?

SPIDEY JOE 21 Reputation points
2022-05-31T06:52:28.8+00:00

public CategoryModel getDate(string str)
{
CategoryModel obj = new Models.CategoryModel();
StaticCat objc = new StaticCat();
objc.CategoryID = 0;
obj.obj1 = objc;
DataTable CatTable = new DataTable();
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
//string str =obj.obj1.CategoryName ;
SqlDataAdapter sqlDb = new SqlDataAdapter("SELECT * FROM CategoryDetail WHERE CatName LIKE '%" + str + "%'", conn);
sqlDb.Fill(CatTable);
}
List<CategoryLists> obj2 = new List<CategoryLists>();
foreach (DataRow dr in CatTable.Rows)
{
CategoryLists obj3 = new CategoryLists();

            obj3.CategoryID = dr["catId"].ToString();
            obj3.Category = dr["catName"].ToString();
            obj3.Status = dr["CatStatus"].ToString();
            obj2.Add(obj3);

        }
        obj.obj2 = obj2;

        return obj;
    }
Developer technologies ASP.NET Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator
    2022-05-31T15:20:08.687+00:00

    your code allows sql injection. you should use a command argument. append the % to search value.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.