By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,354 Members | 1,042 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,354 IT Pros & Developers. It's quick & easy.

What is the C# equivilant to the following in vb.net?

P: n/a
This is how I did this sql server 2000 string in vb.net:

"FROM TBL_TravelMain WHERE TravelMain_Mlv = '" & MLVTrimString & "'"

In C# you can't use the & something &.
How do I put this in C#, or what do I replace the & with?
Thanks,
Trint

.Net programmer
tr***********@gmail.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 16 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Trint,

You maybe did this in VBNet, however in that it is as wrong as in every
dotNet language
it has to be

.....FROM TBL_TravelMain WHERE TravelMain_Mlv = @MLVTrimString"

And than use the XXXcommand.parameters, here the link for SQL
http://msdn.microsoft.com/library/de...eterstopic.asp

I hope this helps?

Cor
Nov 16 '05 #2

P: n/a
Hi Trint,
This is how I did this sql server 2000 string in vb.net:

"FROM TBL_TravelMain WHERE TravelMain_Mlv = '" & MLVTrimString & "'"

try

"FROM TBL_TravelMain WHERE TravelMain_Mlv = '" + MLVTrimString + "'"
Martin
Nov 16 '05 #3

P: n/a
Trint,

Replace the & with + signs. Don't forget to terminate the line with ;

Hope this helps.
Nov 16 '05 #4

P: n/a
> "FROM TBL_TravelMain WHERE TravelMain_Mlv = '" & MLVTrimString & "'"

In C# you can't use the & something &.
How do I put this in C#, or what do I replace the & with?


The C# equivilant to & is +. However, the code in your example is vunerable
to SQL injection attacks. You should use a parameterized query instead. The
following example shows how to use SqlCommand and SqlParameter:

SqlCommand cmd=new SqlCommand();
cmd.CommandText="SELECT * FROM TBL_TravelMain WHERE
TravelMain_Mlv=@TravelMain";
cmd.Parameters.Add("@TravelMain",SqlDbType.VarChar ).Value=MLVTrimString;

Anders Norås
http://dotnetjunkies.com/weblog/anoras/
Nov 16 '05 #5

P: n/a
Cor,
This is in a SQL statement in C# and the equivilant to "&" turns out to
be "+".
Thanks,
Trinity

.Net programmer
tr***********@gmail.com

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 16 '05 #6

P: n/a
> Cor,
This is in a SQL statement in C# and the equivilant to "&" turns out to
be "+".


Trinity,
I think Cor is pointing out that your code does not follow best practices
for data access. I has a SQL injection vunerablity.
SQL injection is a technique for exploitiong applications that use client
supplied data in SQL queries without handling potentially dangerous user
input. If the variable MLVTrimString in your example originates from a input
field or similar and the database user has sufficient privelidges, an
attacker can enter '; DROP TABLE TBL_TravelMain -- into the input field and
actually delete your entire database table.
You should learn how to use classes described on the page Cor referred to so
that you avoid SQL injection attacks.

Anders Norås
http://dotnetjunkies.com/weblog/anoras/
Nov 16 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.