11

I have a WPF Application in which I am getting

string someone = TextBox.text;

I would like to use this in the following query

query = " Select * From Table Where Title = someone "

How should I go about using the variable someone in the query?

Improve this question
6
  • 2
    you shouldnt! Ever hear of SQL Injection or parameterized queries? Commented Aug 31, 2011 at 21:52
  • yes, this is very bad practice Commented Aug 31, 2011 at 21:54
  • This question is too broad, it amounts to how do i get data from sql server based on user input in a WPF application. There are entire books just covering that. Commented Aug 31, 2011 at 21:54
  • here you can read some SQL Injection examples en.wikipedia.org/wiki/SQL_injection Commented Aug 31, 2011 at 21:54
  • i feel stupid now :D Ben Commented Aug 31, 2011 at 22:13

4 Answers 4

Reset to default
27

You can just do this

query = "Select * From Table Where Title = " + someone;

But that is bad and opens you to SQL Injection

You should just use a parameterized query

Something like this should get you started

using (var cn = new SqlClient.SqlConnection(yourConnectionString))
using (var cmd = new SqlClient.SqlCommand())
{
   cn.Open();
   cmd.Connection = cn;
   cmd.CommandType = CommandType.Text;
   cmd.CommandText = "Select * From Table Where Title = @Title";
   cmd.Parameters.Add("@Title", someone);
}

From Jon Skeet's answer since his was more complete than mine

See the docs for SqlCommand.Parameters for more information.

Basically you shouldn't embed your values within the SQL itself for various reasons:

  • It's inelegant to mix code and data
  • It opens you up to SQL injection attacks unless you're very careful about escaping
  • You have to worry about formatting and i18n details for things like numbers, dates and times etc
  • When the query remains the same with only the values changing, the optimizer has less work to do - it can look up the previous optimized query directly as it'll be a perfect match in terms of the SQL.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What if I have multiple variable I have to add?
Use multiple parameters. Would look something like cmd.CommandText = "Select * From Table Where Tile = @Title, Thing = @Thing cmd.Parameters.Add("@Title", someone); cmd.Parameters.Add("@Thing, thing);
14

You should use a parameterized SQL query:

query = "SELECT * From TableName WHERE Title = @Title";

command.Parameters.Add("@Title", SqlDbType.VarChar).Value = someone;

See the docs for SqlCommand.Parameters for more information.

Basically you shouldn't embed your values within the SQL itself for various reasons:

  • It's inelegant to mix code and data
  • It opens you up to SQL injection attacks unless you're very careful about escaping
  • You have to worry about formatting and i18n details for things like numbers, dates and times etc
  • When the query remains the same with only the values changing, the optimizer has less work to do - it can look up the previous optimized query directly as it'll be a perfect match in terms of the SQL.
Improve this answer

1 Comment

I pulled in the meat of your answer to mine since mine got accepted so at least someone looking at the accepted answer will see the fullest of information.
1

Easiest is to use a C# Prepared sql. Example on this post. You don't have to worry about escaping the characters in your sql string or anything

Improve this answer

Comments

0 
declare @SqlQuery varchar(2000), @Fromdate varchar(20), @Todate varchar(20)

set @Fromdate='01 jan 2017'
set @Todate='30 mar 2017'


set @SqlQuery='select * from tblEmployee where tblEmployee.JDate between '''+ @Fromdate + ''' and '''+ @Todate+ ''''

print  @SqlQuery
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.