This is a very usual problem.
It would be the best to create a fixed set of "universal" fixed query strings using
parametrized query approach.
Depending on the current status of the query control, you should select one of the queries from the set and perform substitution of the parameters.
Please see:
http://en.wikipedia.org/wiki/Parameterized_query[
^],
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[
^].
For a code sample, take a look at this tutorial:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx[
^].
Using a dynamic query string using on string manipulation like concatenation or based on
StringBuilder
is not efficient and considered unsafe due to the possibility of
SQL injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[
^].
—SA