0

How to write query with where clause equal to variable in c#

Hello, I want to know how to write query with where clause equal to some variable for example Select * from Table where Age = 10 Now if I save age in variable for example int age = 10; How I write query?

20th Nov 2017, 12:15 PM
Salman Mushtaq
Salman Mushtaq - avatar
2 Answers
+ 3
@Salman Mushtaq, Yes that's true, you can simply concatenate the query string with the age variable, with + age.ToString method, technically that's the way, but if you are concerned about security, you might need to research about parameterized queries, to prevent SQL injection attacks. Here are some articles and references I found quite useful for working with parameterized queries: [SQL Injection] https://www.w3schools.com/sql/sql_injection.asp [How To: Protect From SQL Injection in ASP.NET] https://msdn.microsoft.com/en-us/library/ff648339.aspx [Protect your data: Prevent SQL injection] http://www.c-sharpcorner.com/article/protect-your-data-prevent-sql-injection/ [Using Parameterized queries to prevent SQL Injection Attacks in SQL Server] https://www.aspsnippets.com/Articles/Using-Parameterized-queries-to-prevent-SQL-Injection-Attacks-in-SQL-Server.aspx [OWASP - SQL Injection Prevention Cheat Sheet] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet I'm reading these references now, after I see your post, it reminds me about SQL security, I just wanted to share this, hope it comes of use somehow. Hth, cmiiw
20th Nov 2017, 2:26 PM
Ipang
0
I get answer. I need to use + (concate sign).
20th Nov 2017, 1:55 PM
Salman Mushtaq
Salman Mushtaq - avatar