I have a WPF Application in which I am getting
string someone = TextBox.text;
I would like to use this in the following query
query = " Select * From Table Where Title = someone "
How should I go about using the variable someone in the query?
Asked
Active
Viewed 9.6k times
11
msarchet
- 15,104
- 2
- 43
- 66
Viktor Vice
- 223
- 1
- 2
- 13
-
2you shouldnt! Ever hear of SQL Injection or parameterized queries? – Dustin Davis Aug 31 '11 at 21:52
-
yes, this is very bad practice – Dustin Davis Aug 31 '11 at 21:54
-
here you can read some SQL Injection examples http://en.wikipedia.org/wiki/SQL_injection – Cacho Santa Aug 31 '11 at 21:54
-
This question is too broad, it amounts to how do i get data from sql server based on user input in a WPF application. There are entire books just covering that. – Ben Robinson Aug 31 '11 at 21:54
-
i feel stupid now :D Ben – Viktor Vice Aug 31 '11 at 22:13
-
stack overflow will do that to you, with such nice people in the community. the higher the reputation the more carnal the response. love the responses that have no constructive criticism or answers at all; rather, they just tell you you're stupid, what you're doing is wrong, or close your question. – Hermes Trismegistus Oct 16 '18 at 11:54
4 Answers
27
You can just do this
query = "Select * From Table Where Title = " + someone;
But that is bad and opens you to SQL Injection
You should just use a parameterized query
Something like this should get you started
using (var cn = new SqlClient.SqlConnection(yourConnectionString))
using (var cmd = new SqlClient.SqlCommand())
{
cn.Open();
cmd.Connection = cn;
cmd.CommandType = CommandType.Text;
cmd.CommandText = "Select * From Table Where Title = @Title";
cmd.Parameters.Add("@Title", someone);
}
From Jon Skeet's answer since his was more complete than mine
See the docs for SqlCommand.Parameters for more information.
Basically you shouldn't embed your values within the SQL itself for various reasons:
- It's inelegant to mix code and data
- It opens you up to SQL injection attacks unless you're very careful about escaping
- You have to worry about formatting and i18n details for things like numbers, dates and times etc
- When the query remains the same with only the values changing, the optimizer has less work to do - it can look up the previous optimized query directly as it'll be a perfect match in terms of the SQL.
msarchet
- 15,104
- 2
- 43
- 66
-
-
1Use multiple parameters. Would look something like `cmd.CommandText = "Select * From Table Where Tile = @Title, Thing = @Thing` `cmd.Parameters.Add("@Title", someone); cmd.Parameters.Add("@Thing, thing);` – msarchet Jul 14 '14 at 01:30
14
You should use a parameterized SQL query:
query = "SELECT * From TableName WHERE Title = @Title";
command.Parameters.Add("@Title", SqlDbType.VarChar).Value = someone;
See the docs for SqlCommand.Parameters for more information.
Basically you shouldn't embed your values within the SQL itself for various reasons:
- It's inelegant to mix code and data
- It opens you up to SQL injection attacks unless you're very careful about escaping
- You have to worry about formatting and i18n details for things like numbers, dates and times etc
- When the query remains the same with only the values changing, the optimizer has less work to do - it can look up the previous optimized query directly as it'll be a perfect match in terms of the SQL.
Jon Skeet
- 1,421,763
- 867
- 9,128
- 9,194
-
2I pulled in the meat of your answer to mine since mine got accepted so at least someone looking at the accepted answer will see the fullest of information. – msarchet Sep 01 '11 at 14:12
1
Easiest is to use a C# Prepared sql. Example on this post. You don't have to worry about escaping the characters in your sql string or anything
