Katy J
Reputation: 205
ASP.NET parameters calling in SQL command (code behind)
how to call an asp parameter in a sql command exp:
cmd.CommandText = "SELECT name FROM server WHERE code="+TextBox1.Text;
is it correct? .
Upvotes: 0
Views: 1408
Answers (1)
Marc Gravell
Reputation: 1062502
(tries and fails to suppress a shudder)
cmd.CommandText = "SELECT name FROM server WHERE code=@code";
cmd.Parameters.AddWithValue("code", TextBox1.Text);
otherwise, you are just ripe for SQL injection.
NEVER CONCATENATE USER-INPUT INTO COMMANDS
Upvotes: 6
Related Questions
- Get Parameters of sqlcommand to string
- C# | Use parameter in SqlCommand query
- parameterized sql query - asp.net / c#
- Use SQL command as a parameter value in C#
- SQL Command Parameters
- SqlCommand with Parameters
- Adding SQL Parameters in C#
- Code behind in aspx sql
- Passing String through C# Code Behind to SQL in .ASPX
- how to access parameters in code behind