select Query with AND Condition

Question

I want to select user but i cant get it . Here's my query

        SqlCommand myCommand = new SqlCommand("Select * from Users where Email=" + UserEmailPass.Email + "And Password=" + UserEmailPass.Password, conn);
        SqlDataReader Detailsreader = myCommand.ExecuteReader();

Is my query correct or not>? please help

Steve · Accepted Answer

If Email and Password are string fields then you need to encapsulate the values used for comparison in single quotes, but the correct way is to use a parameterized query

SqlCommand myCommand = new SqlCommand("Select * from Users " + 
                           "where Email=@mail And Password=@pwd" conn);
myCommand.Parameters.AddWithValue("@mail",UserEmailPass.Email);
myCommand.Parameters.AddWithValue("@pwd",UserEmailPass.Password);
SqlDataReader Detailsreader = myCommand.ExecuteReader();

If you use a parameterized query you avoid the SQL Injection problem and you don't have to worry to encapsulate your string values with quotes, doubling them if your values contain themselves a quote, not to mention the appropriate decimal separator for numerics and the correct formatting of dates.

An often overlooked benefit of parameterized query is the now clear and perfectly understandable text of your query. As pointed out by Mr Tim Schmelter below, your query has a syntax error missing a space between AND and the previous value in the WHERE clause. This kind of errors are more difficult to do if you write a parameterized query.

Give me parameterized query or give me death

select Query with AND Condition

Answers (2)

Related Questions