Query String
-
Can u pls tell me, wether following SQL string format is correct or not. textWord.text,comboCat.text are string variables of C#. indexInCategoryTable and SubCategoryNo are integer variables. "select * from Words where word = N'"+textWord.Text+"' and CategoryTableName = '"+comboCat.Text+"' and IndexInCategoryTable = 'indexInCategoryTable' and SubCategoryNo = 'SubCategoryNo'";
-
Can u pls tell me, wether following SQL string format is correct or not. textWord.text,comboCat.text are string variables of C#. indexInCategoryTable and SubCategoryNo are integer variables. "select * from Words where word = N'"+textWord.Text+"' and CategoryTableName = '"+comboCat.Text+"' and IndexInCategoryTable = 'indexInCategoryTable' and SubCategoryNo = 'SubCategoryNo'";
cshivaprasad wrote:
Can u pls tell me, wether following SQL string format is correct or not
No. You should use parameters rather than inject values into the query - See SQL Injection Attacks and Tips on How to Prevent Them[^] unless you want your database attacked by a rampaging mob of mallicious attackers.
"On two occasions, I have been asked [by members of Parliament], 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a question." --Charles Babbage (1791-1871) My: Website | Blog