ajays3356534 wrote:
using (SqlDataAdapter adapt = new SqlDataAdapter("Select * from dbo.SubMenuTable Where ParentId=" + _parentnode, con))
First problem: You're trying to pass
_parentnode
to the query. I suspect you meant to pass
_parentId
instead.
Second problem: NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
Although in
this particular case, since you're passing an
int
, your code won't be vulnerable to
SQL Injection[
^], you should still avoid using string concatenation. Otherwise, you'll forget and concatenate a user-supplied string; or someone else will copy your code without realising the caveat.
using (SqlDataAdapter adapt = new SqlDataAdapter("Select * from dbo.SubMenuTable Where ParentId = @ParentId", con))
{
adapt.SelectCommand.Parameters.AddWithValue("@ParentId", _parentId);
...
}