0

When searching for a users full name and is found. I would like to retrieve the rest of the users info from all the table columns and display them in text boxes. Eg textbox1=ID, textbox2=userInitials, textbox3=userEmail

When I run the code below, I receive the message box "User Found" but I don't know if this is actually working as I am not returning any values. How would I do this? Many thanks.

Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
    Dim searchQuery As String = "Select * from userInfoTable where [userFullName]= '" & SearchName.Text & "'"
    ExecuteQuery(searchQuery)
    MessageBox.Show("User Found.")
End Sub

Public Sub ExecuteQuery(query As String)
    Dim command As New SqlCommand(query, connection)

    connection.Open()
    command.ExecuteNonQuery()
    connection.Close()
End Sub
Dale K
  • 25,246
  • 15
  • 42
  • 71
Matt
  • 31
  • 5
  • 2
    Well - `ExecuteNonQuery` is for SQL commands that **do not return** any data - like `INSERT`, `UPDATE` or `DELETE`. If you want to fetch data, you need to use either `ExecuteReader` and iterate over the rows returned by the reader, or fill a datatable with it – marc_s Jul 05 '20 at 20:29
  • 2
    You ***need*** to learn how to parametrise your queries! This is wide open to injection, and thus is a *huge* security flaw. – Thom A Jul 05 '20 at 20:33
  • Hi @Larnu I'm very new to the world of coding, can I ask what you mean by parametrise the queries and would you point me to a good learning source? Thanks. – Matt Jul 05 '20 at 21:56
  • 2
    [What is parameterized query?](https://stackoverflow.com/q/4712037/2029983) – Thom A Jul 05 '20 at 21:59

1 Answers1

1

You are using ExecuteNonQuery(), but that's for when you want to execute something that doesn't return a result set. In your case you do want the result set. So instead of that, you want to use ExecuteReader(), then read from the "reader" that gets returned. Like this.

allmhuran
  • 4,154
  • 1
  • 8
  • 27