Click here to Skip to main content
13,836,566 members
Rate this:
Please Sign up or sign in to vote.
I need the code of Stored procedure for the following Sql Command and the syntax for how to invoke the stored procedure in C#.
The Code is:
"SELECT * FROM (SELECT ROW_NUMBER() OVER (ORDER BY [index]) AS RowNum, * FROM [Products] WHERE ([manufacturer]='" + cys + "')) sub WHERE RowNum = '"+x+"'"

Reply needed ASAP.
NotPolitcallyCorrect 24-Jul-13 12:40pm
"Reply needed ASAP", some manners might be nice. What is wrong with reading the documentation?
RedDk 25-Jul-13 13:41pm
I'm not sure about manners but from the looks of the WHERE clause here in the SELECT, when execution comes to substitution of value, on the fly, the column ("RowNum"), ssmse will throw a Msg 207 error "Invalid column name 'RowNum'.

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1


Have a look here:[^][^]

I see that you use string concatenation to build a query. NEVER use string concatenation to build SQL queries! If you use it, your application isn't protected against SQL Injection[^]! To prevent SQL Injection, use parameterized queries:[^][^][^][^]
Maciej Los 24-Jul-13 14:26pm
Thomas Daniels 24-Jul-13 14:29pm
Thank you!
Adarsh chauhan 25-Jul-13 2:37am
I agree... using parameters instead of string concatenation is always better and secure way...
Nice and helpful links.. +5
Thomas Daniels 25-Jul-13 3:00am
Thank you!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Cookies | Terms of Service
Web02 | 2.8.190114.1 | Last Updated 22 Apr 2015
Copyright © CodeProject, 1999-2019
All Rights Reserved.
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100