Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Using con As New SqlConnection(strConnect)
con.Open()
Using cmd As New SqlCommand("SELECT city FROM glmast WHERE glname=@GLN", con)
cmd.Parameters.AddWithValue("@GLN", list_customer.Items[i].Value)
Using reader As SqlDataReader = cmd.ExecuteReader()
While reader.Read()
Console.WriteLine("City: {0}", reader("city"))
End While
End Using
End Using
End UsingDoing this will also cure your problem...
"can you caonvert this vb code to c# code ? please"
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand cmd = new SqlCommand("SELECT city FROM glmast WHERE glname=@GLN", con))
{
cmd.Parameters.AddWithValue("@GLN",list_customer.Items[i].Value);
using (SqlDataReader reader = cmd.ExecuteReader())
{
while (reader.Read())
{
Console.WriteLine("City: {0}", reader["city"]));
}
}
}
}
[edit]Fixed C# conversion - OriginalGriff[/edit]
Submit an article or tip