ansaurus

Question

Answer 1

+1 A:

Better for security if you use parameters in your SQL query.

MicTech 2009-06-17 09:20:39

Answer 2

+1 A:

I suppose you should create an SqlCommand with 2 parameters. The code you posted here is not safe for SQL Injection attacks.

Please follow:

http://msdn.microsoft.com/en-us/library/ms161953.aspx

Bogdan_Ch 2009-06-17 09:21:58

Answer 3

+1 A:

To answer your question, however, your code creates the SQL:

SELECT * FROM Students WHERE name='NAMEand [buil-id]='ID'

should be

SELECT * FROM Students WHERE name='NAME' and [buil-id]='ID'

Kobi 2009-06-17 09:25:16

Answer 4

+2 A:

Please use parameters! If for some reason you're against them, this should work:

string strStatement = String.Format("SELECT * FROM Students WHERE [name] = '{0}' AND [buil-id] = '{1}'", byNametextBox.Text, byBuildingtextBox.Text);
da = new SqlDataAdapter(strStatement, MyConn);

Barry Gallagher 2009-06-17 09:33:07

thanks for you too much

2009-06-17 09:51:49

This isn't parameters. You're still creating a string, it's almost the same.

Kobi 2009-06-17 10:02:48

Yes Kobi, but like I said if for some reason he's AGAINST using parameters, the code I posted WILL work (his source code was formatted incorrectly and would not).

Barry Gallagher 2009-06-17 10:10:42

Well, yes. Defiantly, this is a cleaner syntax for that.

Kobi 2009-06-17 10:55:07

Parameters are must but this does the trick he wanted.

blntechie 2009-06-17 12:30:30

ansaurus

tags:

views:

answers:

another sql query statment

related questions