C# App SQL Query

Question

Okay basically I have a SQL Server database that has details in it.

Column names: Student_Id , Student_name , Unit_number , Unit_grade

I would like to query this database using two textboxes where you enter the id and unit_number and it will return the results in a message box when a button is clicked.

Where the question marks in the code are is where I am unsure of how to display a message box with the result. Unless this is completely the wrong way of doing things, I am only starting out with SQL in C#

I shouldn't be prone to SQL Injection using parameters as far as I know?

try
{
    string str = "SELECT * FROM Students WHERE (Student_Id, Unit_number LIKE '%' + @search + '%')";

    SqlCommand command = new SqlCommand(str, connect);
    command.Parameters.Add("@search", SqlDbType.NVarChar).Value = textBox1.Text;
    command.Parameters.Add("@search", SqlDbType.NVarChar).Value = textBox2.Text;

    connect.Open();
    command.ExecuteNonQuery();

    SqlDataAdapter dataAdapt = new SqlDataAdapter();
    dataAdapt.SelectCommand = command;

    DataSet dataSet = new DataSet();

    dataAdapt.Fill(dataSet, "Student_Id, Unit_number");
    //?
    //?

    connect.Close();
}
catch (Exception ex)
{
    MessageBox.Show(ex.Message);
}

Answer 1

Your SQL is wrong in that your WHERE clause is syntactically incorrect. You probably want something like:

string str = "SELECT * FROM Students WHERE Student_ID = @id AND " +
    "Unit_number LIKE @search";

This assumes that Student_ID is a text type. The syntax would be slightly different if it was a number.

You are trying to add the same parameter to the query twice, which you won't want. Instead you'd want two parameters to match with the new SQL definition:

    command.Parameters.Add("id", SqlDbType.NVarChar).Value = 
        textBox1.Text;
    command.Parameters.Add("search", SqlDbType.NVarChar).Value = 
        "%" + textBox2.Text + "%";

Running ExecuteNonQuery on the SqlCommand object doesn't do much for you as it is a query and you're not asking for the result back.

If you're only expecting one table back from your query, you'd probably be better off with a DataTable rather than a DataSet (the DataSet can contain many tables which is overkill for what you need).

try
{
    string str = "SELECT * FROM Students WHERE Student_Id = @id AND " +
                 "Unit_number LIKE @search";

    connect.Open();

    SqlCommand command = new SqlCommand(str, connect);
    command.Parameters.Add("id", SqlDbType.NVarChar).Value = 
        textBox1.Text;
    command.Parameters.Add("search", SqlDbType.NVarChar).Value = 
        "%" + textBox2.Text + "%";


    SqlDataAdapter dataAdapt = new SqlDataAdapter();
    dataAdapt.SelectCommand = command;

    DataTable dataTable = new DataTable();

    dataAdapt.Fill(dataTable);

    // At this point you should have a DataTable with some results in it.

    // This is not going to be the best way of displaying data, 
    //  but it should show you _something_
    // It just iterates through the rows showing the columns 
    //  which you've shown as being in your data.

    foreach (DataRow dr in dataTable.Rows)
    {
        MessageBox.Show(String.Format("{0} - {1} - {2} - {3}", 
                        dr["Student_Id"], dr["Student_name"],
                        dr["Unit_number"], dr["Unit_grade"]));
    }

    connect.Close();
}
catch (Exception ex)
{
    MessageBox.Show(ex.Message);
}

EDITED to change the parameter handling as it didn't quite do what was needed. The % symbols are not part of the parameter rather than the SQL string.