asp.net 웹 양식에서 데이터를받습니다.

Question

이 프로그램의 잘못된 점은 무엇입니까 ?? da.Fill(dt);에 오류가 표시됩니다. 이 프로그램은 DataBase에서 이름으로 레코드를 검색하기위한 프로그램입니다.

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.UI; 
using System.Web.UI.WebControls; 
using System.Data.SqlClient; 
using System.Configuration; 
using System.Data; 
using System.Threading.Tasks; 

public partial class NameSearch : System.Web.UI.Page 
{ 
    public SqlConnection con = new 

     SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"]. 
     ConnectionString); 

    protected void Page_Load(object sender, EventArgs e) 
    { 
     con.Open(); 
    } 
    protected void btnSearch_Click(object sender, EventArgs e) 
    {   
     SqlCommand cmd = new SqlCommand("select * from case1 where  
     Name="+txtSearchName.Text,con); 
     cmd.CommandType = CommandType.StoredProcedure; 
     SqlDataAdapter da = new SqlDataAdapter(cmd); 
     DataSet dt = new DataSet(); 
     da.SelectCommand = cmd; 
     da.Fill(dt); 
     GridView1.DataSource = dt; 
     cmd.ExecuteNonQuery(); 
     con.Close(); 
    } 
} 

Answer 1

당신은 SQL 주입을 방지하기 위해 StoredProcedure ..Use 매개 변수화 된 쿼리 대신 CommandType을에 Text를 사용할 필요가

string name=txtSearchName.Text; 
SqlCommand cmd = new SqlCommand("select * from case1 where Name=@name",con); 
cmd .Parameters.AddWithValue("@name", name); 
cmd.CommandType = CommandType.Text; 
da.SelectCommand = cmd; 
da.Fill(dt); 
GridView1.DataSource = dt; 
GridView1.DataBind(); 
con.Close(); 

Answer 2

SqlCommand cmd = new SqlCommand("select * from case1 where  
    Name='"+txtSearchName.Text + "'",con); 
    cmd.CommandType = CommandType.Text; 
    SqlDataAdapter da = new SqlDataAdapter(cmd); 
    DataSet ds= new DataSet(); 
    da.SelectCommand = cmd; 
    da.Fill(ds, "FooTable"); 
    GridView1.DataSource = ds.Tables["FooTable"];; 
    cmd.ExecuteNonQuery(); 
    con.Close();