Quote:
"Select Office_Symbols FROM Office_Symbol_ID WHERE Office_Names = '" + ddlOfficeSymbolConvt.Text + "';"
Not like that!
Your code is almost certainly vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]
using (SqlConnection conn = new SqlConnection("Database connection"))
using (SqlCommand cmd = new SqlCommand("Select Office_Symbols FROM Office_Symbol_ID WHERE Office_Names = @Office_Names;", conn))
{
cmd.Parameters.AddWithValue("@Office_Names", ddlOfficeSymbolConvt.Text);
conn.Open();
object result = cmd.ExecuteScalar();
if (Convert.IsDBNull(result))
{
lblOffice_SymbolsCovnt.Text = string.Empty;
}
else
{
lblOffice_SymbolsCovnt.Text = Convert.ToString(result);
}
}
Submit an article or tip