I am trying to create a search box in my application, in order to do so i need to modify the SqlDataSource.SelectCommand. I will appreciate any help!
For testing I did it like this, it works but it is vulnerable for sql injection
SqlDataSource1.SelectCommand = "sp_offer_search '" + txtSearch.Text + "', " + Session["customerId"] + " , '" + "Pending"+ "'";
GridView1.DataBind();
This is What I tried so far but it is not working:
if (txtSearch.Text != "")
{
//open connection
oCn.Open();
SqlCommand com = new SqlCommand(query, oCn);
com.CommandType = CommandType.StoredProcedure;
com.Parameters.AddWithValue("@Variable", txtSearch.Text);
com.Parameters.AddWithValue("@CustomerId",Session["customerId"]);
com.Parameters.AddWithValue("@Status", txtStatus.Text);
DataTable dt = new DataTable();
dt.Load(com.ExecuteReader());
SqlDataSource1.SelectCommand = dt.ToString();
GridView1.DataBind();
}
.AddWithValue()
- it can lead to unexpected and surprising results... – marc_s Jan 2 at 16:35