Write SQL Query in C# code with multiple lines -
i'm writing sql query in c# code. giving errors. how can correct this?
private string sql = ""; sql = (@"insert employee_master ( nationality,religion,bloodgroup, electorate,province,district,mobile ) values ( '"+emp.nationality+"','"+emp.religion+"','"+emp.bloodgroup+"', '"+emp.electorate+"','"+emp.province+"','"+emp.district+"','"+emp.mobile+"' )"); 
you should remove string concatenation , use parameterized query. can suppose, short code, not (or compiler) expect in string values stick quotes. example, if 1 of string values contains single quote, whole query fail syntax error. parameterized query, instead, removes problem quotes , render query safe sql injections (and lot easier understand what's going on)
private string sql = ""; sql = @"insert employee_master ( nationality,religion,bloodgroup, electorate,province,district,mobile ) values ( @nat,@rel,@blood, @elect,@prov,@district,@mobile )"; using (sqlconnection con = new sqlconnection(...constring here...)) using (sqlcommand cmd = new sqlcommand(sql, con)) { con.open(); cmd.parameters.add("@nat", sqldbtype.nvarchar).value = "nationality"; ... continue adding other parameters @rel, @blood etc... , values cmd.executenonquery(); } said that, after edit, can see error pointed red squiggles. caused bad line endings on these lines
....'"+emp.bloodgroup+"', ....'"+emp.mobile+"' you should change them
....'"+emp.bloodgroup+"'," ....'"+emp.mobile+"'" to correct compiler. effect of verbatim character @ terminated when use + operator concatenate strings , need repeat again if want omit closing double quote on lines above. leads terrible , error prone syntax:
....'"+emp.bloodgroup+ @"', ....'"+emp.mobile+ @"' but again, doesn't protect malformed input values generate exception or catastrophic hacking of program. so, please not write queries in way
Comments
Post a Comment