Dynamic sql =[
First here is why you should never use Dynamic SQL:
http://xkcd.com/327/
Here is the problem with your methodology:
Say, for example, I wanted to search for a client reference so i typed x string into the text box the sql would be: SELECT <columns> form <table> WHERE client LIKE '%" + textbox.text + "%'";
So then I say that I want to add another criteria, you run into a logic problem like this:
SELECT <columns> form <table> WHERE client LIKE '%" + textbox.text + "%' AND secondCritera like '%" + textbox2.text +"'";
But what if I want the sql to execute like this:
SELECT <columns> form <table> WHERE client LIKE '%" + textbox.text + "%' OR secondCritera like '%" + textbox2.text +"'";
You have a large list of possiblities where the user might want to have the logic to be AND or OR so i think you need to consider that.
Also, what if I were to put this string into one of my text boxes:
foo'; DROP TABLE users; --
Your select statement would now look literally evaluate to this:
SELECT <columns> form <table> WHERE client LIKE '%foo'; DROP TABLE Users; --' OR secondCritera like '%value'";
If the user gets away with this they could execute something like SELECT QutoeName(TABLE_NAME) FROM Information_schema.tables it would return a listing of all tables in your database and the aforementioned DROP TABLE command becomes much more scary.
I would really reconsider your approach.
================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
Technical Editor for:
Beginning Visual C# 2008
Professional Search Engine Optimization with ASP.NET
Professional IIS 7 and ASP.NET Integrated Programming
Wrox Blox: Introduction to Google Gears
Wrox Blox: Create Amazing Custom User Interfaces with WPF and .NET 3.0
================================================== =========