0
StringBuilder strSQL = new StringBuilder();

strSQL.Append("SELECT * FROM DataBaseName..TableName ");
strSQL.Append(" where Flag= @nameID");
strSQL.Append(" ORDER BY Flag DESC");`
Shnugo
  • 66,100
  • 9
  • 53
  • 114
suhas
  • 39
  • 7
  • i am using string builder to build a query.and also i want add external veritable using one of SQL injection Technic.plz suggest me how to complete this query. – suhas May 09 '16 at 09:47
  • You should not *use StringBuilder to get the variables into your query* ... This is an issue you solve on calling your query. How are you doing this? – Shnugo May 09 '16 at 09:48
  • then it solve by using string ??? – suhas May 09 '16 at 09:50
  • 1
    `cmd.parameters.add("@nameID").Value = nameId` – Zohar Peled May 09 '16 at 09:52
  • 2
    No, you should **absolutely avoid** queries with your parameters fiddled into it. Read about *sql injection*. Keep the query and the parameters totally separated. This question gives a lot of background: http://stackoverflow.com/q/9999751/5089204 – Shnugo May 09 '16 at 09:54
  • thq shnugo, zohar peled – suhas May 09 '16 at 10:42
  • 1
    Please put your actual question _in your question_, not in the comments. – Nyerguds May 09 '16 at 12:34

0 Answers0