Well following the advice of the commentators, let's move it into a store procedure
You wrote:
"SELECT * FROM Enquiry where Cust_Name='" + myselection + "' or Cust_ID='" + vid + "'"
Change to:
On mssql execute command:
(datatypes should match those in your table)
create proc spSelectCustomerByNameAndID(
@name nvarchar(50),
@id nvarchar(50)
)
begin
SELECT * FROM ENQUIRY WHERE CUST_NAME = @name AND CUST_ID = @id;
end
Next up from your C# something like this
using (SqlConnection con = new SqlConnection(connectionString)) {
using (SqlCommand cmd = new SqlCommand("spSelectCustomerByNameAndID", con)) {
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@name", SqlDbType.VarChar).Value = myselection;
cmd.Parameters.Add("@id", SqlDbType.VarChar).Value = vidvar ;
con.Open();
var reader = cmd.ExecuteReader();
if(!reader.HasRows){
return;
}
reader.Read();
}
}
And on the exit i would like to present you to why all the good people were lamenting about not trusting input and such, the very real fear of sql injection. It is always more than a good idea to check that data comming from the UI, especially so if it is from web posts or gets:
https://technet.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx[
^]