Click here to Skip to main content
13,900,392 members
Rate this:
 
Please Sign up or sign in to vote.
See more:
How to call an asp parameter in a sql command.

exp: cmd.CommandText = "SELECT name FROM server WHERE code="+TextBox1.Text;

Is it correct?
Posted
Updated 24-Oct-11 22:56pm
v2
Comments
priyagoel 21-Aug-13 1:33am
   
try
{
if (cn.State == ConnectionState.Closed)
{
cn.Open();
}
for (int i = 0; i < dt1.Rows.Count - 1; i++)
{
string check = "select name,days,hdays,months,years * from inventory";
ad2.fill = ad2();
tell here how to write code where please help me string _whr = "select * from inventory where name= 'priya' + dt1.Rows[i][name].ToString()+ = "'," Convert.ToInt32(dt1.Rows[i][days] + hdays = '1'+ Convert.ToInt32(dt1.Rows[i][hdays] + months = '1'+ Convert.ToInt32(dt1.Rows[i][months] + years = '1'+ Convert.ToInt32(dt1.Rows[i][years]+ ")";

if (dt1.Rows.Count > 0)
{ }

else
{

string insert = "insert into inventory(name,days,hdays,months,years)values('" + dt1.Rows[i]["name"].ToString() + "'," + Convert.ToInt32(dt1.Rows[i]["days"]) + "," + Convert.ToInt32(dt1.Rows[i]["hdays"]) + "," + Convert.ToInt32(dt1.Rows[i]["months"]) + "," + Convert.ToInt32(dt1.Rows[i]["years"]) + ")";
SqlCommand ad2 = new SqlCommand(insert, cn);
ad2.ExecuteNonQuery();
}
}
}
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 4

It depends on Data-Type of your Column["code"] of Table["server"].

If Data-Type is Int/Numeric, then below code should work.
cmd.CommandText = "SELECT name FROM server WHERE code="+TextBox1.Text;

In case Data-Type is Varchar / Non-Numeric then try as below.
cmd.CommandText = "SELECT name FROM server WHERE code='" + TextBox1.Text + "'";

However, I don't recommend in-line queries to you. Instead use parametrized query. Because plain inline query is an invite for SQL-Injection.
string sqlConnectString = "YourConnectionString";
string sqlSelect = "SELECT name FROM server WHERE code= @CodeValue";

SqlConnection sqlConnection = new SqlConnection(sqlConnectString);
SqlCommand sqlCommand = new SqlCommand(sqlSelect, sqlConnection);

sqlCommand.Parameters.Add("@CodeValue", System.Data.SqlDbType.Int);// Set SqlDbType based on your DB column Data-Type

 sqlCommand.Parameters["@CodeValue"].Value = TextBox1.Text;

SqlDataAdapter sqlDa = new SqlDataAdapter(sqlCommand);
DataTable sqlDt = new DataTable();
sqlDa.Fill(sqlDt);
   
v2
Comments
Sander Rossel 25-Oct-11 5:17am
   
Where do you set the value of @CodeValue? ;)
Please see my answer for a shorter notation.
RaisKazi 25-Oct-11 5:18am
   
That was missed. :). Please look at my updated answer.
Sander Rossel 25-Oct-11 6:12am
   
Yep, looking much better. My 5 for a correct and complete answer.
RaisKazi 25-Oct-11 5:19am
   
yup, already voted. :)
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 5

Always use parameterized queries!
Your current solution is not sql injection safe.
Adding parameters is quite easy in fact.
cmd.CommandText = "SELECT name FROM server WHERE code = @code";
cmd.Parameters.AddWithValue("@code", TextBox1.Text);

.NET/SQL will now replace @code with the correct value. No chance for SQL injection, cleaner code, query is cached which causes better performance.
Everyone wins! :)
   
Comments
RaisKazi 25-Oct-11 5:17am
   
My 5! Parametrized queries always better considering security issue.
Sander Rossel 25-Oct-11 6:11am
   
Thanks! :)
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

   
Comments
kiran dangar 25-Oct-11 7:09am
   
Same Solution posted 2 times ??? I have noticed this second time
Anuja Pawar Indore 25-Oct-11 7:15am
   
If you have noticed then must have noticed i deleted that at the same time.
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 6

Hi,

cmd.CommandText = "SELECT name FROM server WHERE code='"+ TextBox1.Text + "';

This could be the correct syntax. But this is no longer right way to write the code in the real time applications.
In the real time applications whenever ur passing form data to the DB u better to assign it to parameter and than send to DB to prevent SQL Injections.

Thanks...
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy | Cookies | Terms of Service
Web01 | 2.8.190306.1 | Last Updated 25 Oct 2011
Copyright © CodeProject, 1999-2019
All Rights Reserved.
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100