How do I re-write a SQL query as a parameterized query?

by

You need to use parameters instead of just concatenating together your SQL:

using (SqlConnection con = new SqlConnection(--your-connection-string--))
using (SqlCommand cmd = new SqlCommand(con))
{
    string query = "SELECT distinct ha FROM app WHERE 1+1=2";

    if (comboBox1.Text != "")
    {
        // add an expression with a parameter
        query += " AND firma = @value1 ";

        // add parameter and value to the SqlCommand
        cmd.Parameters.Add("@value1", SqlDbType.VarChar, 100).Value = comboBox1.Text; 
    }

    .... and so on for all the various parameters you want to add

    cmd.CommandText = query;

    con.Open();

    using (SqlDataReader reader = cmd.ExecuteReader())
    {
         while(reader.Read())
         {
             // do something with reader -read values 
         }

         reader.Close();
    }

    con.Close();
}

More Related Contents:

  1. How can I add user-supplied input to an SQL statement?
  2. ExecuteReader requires an open and available Connection. The connection’s current state is Connecting
  3. How do parameterized queries help against SQL injection?
  4. MetadataException: Unable to load the specified metadata resource
  5. Get output parameter value in ADO.NET
  6. When should “SqlDbType” and “size” be used when adding SqlCommand Parameters?
  7. SQLite Database Locked exception
  8. Is it necessary to manually close and dispose of SqlDataReader?
  9. Populate data table from data reader
  10. When using Trusted_Connection=true and SQL Server authentication, will this affect performance?
  11. Difference with Parameters.Add and Parameters.AddWithValue
  12. How to prevent a SQL Injection escaping strings
  13. SqlConnection SqlCommand SqlDataReader IDisposable
  14. Exception when AddWithValue parameter is NULL
  15. Calling Oracle stored procedure from C#?
  16. Insert into C# with SQLCommand
  17. Does using parameterized SqlCommand make my program immune to SQL injection?
  18. MultipleActiveResultSets=True or multiple connections?
  19. How to pass a table-value parameter
  20. How DataReader works?
  21. How to keep single SQL Server connection instance open for multiple request in C#?
  22. DataTable equivalent in Java [duplicate]
  23. Check if a SQL table exists
  24. What is the difference between dataview and datatable?
  25. Reading a date using DataReader
  26. What ‘length’ parameter should I pass to SqlDataReader.GetBytes()
  27. How do I connect to a SQL database from C#?
  28. .net connection pooling
  29. Do we have transactions in MS-Access?
  30. How can a Windows Service start a process when a Timer event is raised?

Leave a Comment