Scratch that, I figured out that there was an extra single quote supplied. I replaced textbox1 with a var for simplicity. IT works!! Thank you. The thing is this leaves me open to injection attack?


>Bonnie, Thanks for weighing in on this. Cetin is a guru way above me. I am kinda new to this .net, but in taking your advice, yields this error: Command contains "unrecognized phrase/keyword."
>without it pointing to exactly what the error is. For one, you had a mismatch of parenthesis, I removed it, but still got the error. BTW I use VB here( but was disapointed when the .net developers left VFP in the dust)
>
>
>
>>Tim,
>>
>>>Cetin, isn't ADO for xml data? I have not delved into that before.<
>>
>>PMFJI ... no, ADO.NET isn't only for XML data. ADO.NET refers to anything you do with data ... that means the data store (DataSets, DataTables, etc), plus the data access. So, yes, you've used ADO.NET when you access SQL Server, VFP or any other database.
>>
>>You really should look into parameterizing your database calls, as Cetin has tried to explain. But, since you want an answer using your method of building a string, it would simply be something like this:
>>
>>Your way:
>>

>>vDataSource2.SelectCommand = "SELECT title, type_dish FROM dish WHERE title LIKE '%'" + TextBox1.Text + "'%')"
>>

>>Cetin's way:
>>

>>vDataSource2.SelectCommand = String.Format("select * from myTable where title like '%{0}%'", TextBox1.Text)
>>

>>
>>Both methods will give you the same SelectCommand string.
>>
>>~~Bonnie