String selectStr = "select * from " + thisTable + " where pId = " + argID + " OR pAltId = " + alt_ID +" OR pMobile = " + p_mobile +" OR pDate =" + p_date +" OR
pName = '"+ p_Name +"'"
Something better to use would be
SqlDataReader selectCommandResult = null;
try{
SqlCommand selectCommand = new SqlCommand("SELECT * FROM @table WHERE pId = @paramId OR pAltId = @paramAltId OR pMobile = @paramMobile OR pDate = @paramDate OR pName = @paramName", SqlConnectionHolder) { CommandType = CommandType.Text };
selectCommand.Parameters.AddWithValue("@table", thisTable);
selectCommand.Parameters.AddWithValue("@paramId", argID);
selectCommand.Parameters.AddWithValue("@paramAltId", alt_ID);
selectCommand.Parameters.AddWithValue("@paramMobile", p_mobile);
selectCommand.Parameters.AddWithValue("@paramDate", p_date);
selectCommand.Parameters.AddWithValue("@paramName", p_Name);
selectCommandResult = selectCommand.ExecuteReader();
var returnValue = "0";
while (selectCommandResult.Read())
{
columnOne = selectCommandResult.GetValue(0).ToString().Trim();
columnTwo = selectCommandResult.GetValue(1).ToString().Trim();
columnThree = selectCommandResult.GetValue(2).ToString().Trim();
}
}
catch (Exception ex){
throw ex;
}
Might I also suggest you make the habit of keeping one naming convention per project. IE the below variable names you've given :
thisTable
p_mobile
alt_ID
argID
Should all be one convention like:
tbTableName
pMobileParam
pAltIdParam
pArgIdParam
It will make it easier to read in the future.
Further reading:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.aspx[
^]