sql command in code behind C#.net

Question

0.00/5 (No votes)

See more:

How to call an asp parameter in a sql command.

exp: cmd.CommandText = "SELECT name FROM server WHERE code="+TextBox1.Text;

Is it correct?

Posted 24-Oct-11 22:53pm

kitykity

Updated 24-Oct-11 22:56pm

RaisKazi

v2

Add a Solution

Comments

priyagoel 21-Aug-13 1:33am

try
{
if (cn.State == ConnectionState.Closed)
{
cn.Open();
}
for (int i = 0; i < dt1.Rows.Count - 1; i++)
{
string check = "select name,days,hdays,months,years * from inventory";
ad2.fill = ad2();
tell here how to write code where please help me string _whr = "select * from inventory where name= 'priya' + dt1.Rows[i][name].ToString()+ = "'," Convert.ToInt32(dt1.Rows[i][days] + hdays = '1'+ Convert.ToInt32(dt1.Rows[i][hdays] + months = '1'+ Convert.ToInt32(dt1.Rows[i][months] + years = '1'+ Convert.ToInt32(dt1.Rows[i][years]+ ")";

if (dt1.Rows.Count > 0)
{ }

else
{

string insert = "insert into inventory(name,days,hdays,months,years)values('" + dt1.Rows[i]["name"].ToString() + "'," + Convert.ToInt32(dt1.Rows[i]["days"]) + "," + Convert.ToInt32(dt1.Rows[i]["hdays"]) + "," + Convert.ToInt32(dt1.Rows[i]["months"]) + "," + Convert.ToInt32(dt1.Rows[i]["years"]) + ")";
SqlCommand ad2 = new SqlCommand(insert, cn);
ad2.ExecuteNonQuery();
}
}
}

4 solutions

Solution 2

Refer this
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx[^]

Posted 24-Oct-11 23:12pm

Anuja Pawar Indore

Comments

kiran dangar 25-Oct-11 7:09am

Same Solution posted 2 times ??? I have noticed this second time

Anuja Pawar Indore 25-Oct-11 7:15am

If you have noticed then must have noticed i deleted that at the same time.

Solution 6

Hi,

cmd.CommandText = "SELECT name FROM server WHERE code='"+ TextBox1.Text + "';

This could be the correct syntax. But this is no longer right way to write the code in the real time applications.
In the real time applications whenever ur passing form data to the DB u better to assign it to parameter and than send to DB to prevent SQL Injections.

Thanks...

Posted 25-Oct-11 0:30am

sabbi26

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

RaisKazi · Accepted Answer · 2011-10-24T23:13:00

It depends on Data-Type of your Column["code"] of Table["server"].

If Data-Type is Int/Numeric, then below code should work.
cmd.CommandText = "SELECT name FROM server WHERE code="+TextBox1.Text;

In case Data-Type is Varchar / Non-Numeric then try as below.
cmd.CommandText = "SELECT name FROM server WHERE code='" + TextBox1.Text + "'";

However, I don't recommend in-line queries to you. Instead use parametrized query. Because plain inline query is an invite for SQL-Injection.

C#

string sqlConnectString = "YourConnectionString";
string sqlSelect = "SELECT name FROM server WHERE code= @CodeValue";

SqlConnection sqlConnection = new SqlConnection(sqlConnectString);
SqlCommand sqlCommand = new SqlCommand(sqlSelect, sqlConnection);

sqlCommand.Parameters.Add("@CodeValue", System.Data.SqlDbType.Int);// Set SqlDbType based on your DB column Data-Type

 sqlCommand.Parameters["@CodeValue"].Value = TextBox1.Text;

SqlDataAdapter sqlDa = new SqlDataAdapter(sqlCommand);
DataTable sqlDt = new DataTable();
sqlDa.Fill(sqlDt);

Sander Rossel · Accepted Answer · 2011-10-24T23:15:00

Solution 5

Always use parameterized queries!
Your current solution is not sql injection safe.
Adding parameters is quite easy in fact.

C#

cmd.CommandText = "SELECT name FROM server WHERE code = @code";
cmd.Parameters.AddWithValue("@code", TextBox1.Text);

.NET/SQL will now replace @code with the correct value. No chance for SQL injection, cleaner code, query is cached which causes better performance.
Everyone wins! :)

Posted 24-Oct-11 23:15pm

Sander Rossel

Comments

RaisKazi 25-Oct-11 5:17am

My 5! Parametrized queries always better considering security issue.

Sander Rossel 25-Oct-11 6:11am

Thanks! :)

sql command in code behind C#.net

4 solutions

Solution 4

Solution 5

Solution 2

Solution 6

Add your solution here

Preview 0

Existing Members

...or Join us