One problem of your code is string concatenation. Repeated concatenation is a bad operation, because strings are
immutable, so it's a performance problem. Should I explain why? The class
System.Text.StringBuilder
and the method
String.Format
are free from this problem.
But much bigger problem is the purpose of your concatenation. This is really a
fatal mistake, from the
security standpoint. The problem is: you compose a command using the strings taken from the UI, from the user input. But the user can input anything, including some SQL fragments (no, filtering them out is not serious). This opens wide doors to the well-known exploit called
SQL injection.
Never do it. Please read about this exploit and pay special attention for the importance of
parameterized statements:
http://en.wikipedia.org/wiki/SQL_injection[
^].
You need to use SQL command parameters the way
Mika Wendelius demonstrated in his Solution 2. Please read about using command parameters in ADO.NET:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[
^].
—SA