weird0 <am********@gmail.comwrote:
i write query in this manner by contatenting a string:
cmd.CommandText = "SELECT acc_name FROM Account_Information
where user_id='" + User_Id + "'";
Is there any other way to do it....
Yes - the above has huge dangers with respect to SQL injection attacks,
as well as making it harder for the query optimiser.
please tell me how to do so and some good link related to that?
It depends on which database provider you're using, but if you look at
SqlCommand.Parameters you'll see an example for the SQL Server
provider.
--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog:
http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too