You should use
Parametrized query
to take input from user and then retrieve data.
Sample:
string commandText = "UPDATE Store SET CustomerName = @custName WHERE CustomerID = @ID;";
using (SqlConnection connection = new SqlConnection(connectionString))
{
SqlCommand command = new SqlCommand(commandText, connection);
command.Parameters.Add("@ID", SqlDbType.Int);
command.Parameters["@ID"].Value = customerID;
command.Parameters.AddWithValue("@custName", inputCustomerName);
try
{
connection.Open();
Int32 rowsAffected = command.ExecuteNonQuery();
Console.WriteLine("RowsAffected: {0}", rowsAffected);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
Look here for parameterized query and it's usage:
MSDN: Configuring Parameters and Parameter Data Types (ADO.NET)[
^]
MSDN: DataAdapter Parameters (ADO.NET)[
^]
MSDN: SqlCommand.Parameters Property [
^]