mysql c# search textbox

Question

Hi i'n trying to search a product name from database and display i ton my textbox but at same time i need the id from that product to insert it on grid and after on another table.

MySqlConnection connection = new MySqlConnection("connectonString");

            string selectQuery = "select descricao,codigo from produtos where (barras = '@barcodes') or(descricao like '%' + @product + '%')";
            connection.Open();
            MySqlCommand command = new MySqlCommand(selectQuery, connection);
            MySqlDataReader reader = command.ExecuteReader();
            command.Parameters.AddWithValue("@barras", Txtcodigo.Text);
            command.Parameters.AddWithValue("@product", Txtcodigo.Text);
            //MySqlDataReader reader = command.ExecuteReader();
            DataTable dt2 = new DataTable();
            dt2.Load(reader);
            DataView dvDataTable = new DataView(dt2);
            //DataRow row = dt2.Rows[1];
            Txtproduto.Text = reader.GetString("descricao");

It says my reader is empty but, i've used the same code to load combobox and it works, the only difference is that on combobox my select is: select * from unidades; and there re no parameters as there are only 2 rows on that table, and on products table there are more and i only need those 2: description and id; barcodes is just to search

Answer 1

Aside from possible SQL-Injection by concatenating strings, using parameters as you have is very close.

Your query string has (barras = '@barcodes'), strip the single 'quotes' and your parameter should be the "barcodes", not barras. As for your product with the "%" wild-cards, create a string that forces the entire parameter to default have them included... like

string selectQuery = 
@"select 
      descricao,
      codigo 
   from 
      produtos 
   where 
          barras = @barcodes 
      or descricao like @product";

MySqlCommand command = new MySqlCommand(selectQuery, connection);
// the "@" is not required for the parameter NAMEs below, jut the string
// name of the parameter as in the query.

// Ok to use the actual text from your textbox entry here
command.Parameters.AddWithValue("barcodes", Txtcodigo.Text);

// but use the STRING created with '%' before/after created above
string parmProduct = '%' + Txtcodigo.Text.Trim() + '%';
command.Parameters.AddWithValue("product", parmProduct);

// NOW you can execute the reader and pull your data
connection.Open();
MySqlDataReader reader = command.ExecuteReader();
DataTable dt2 = new DataTable();
dt2.Load(reader);
DataView dvDataTable = new DataView(dt2);
Txtproduto.Text = reader.GetString("descricao");