Don't do it like that!
Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
private void LoadDataMonth()
{
try
{
string[] Data1 = MonthlyReport.setmonth.Split('/');
string montsPart = Data1[0];
string yearPart = Data1[1];
textBox2.Text = montsPart;
textBox3.Text = yearPart;
const string query = "select cu.Date, ln.SrNumber, cu.Name+' / '+cu.FatherName AS \"Details\", cu.Address + ' , ' + cu.Address1 AS Address, cu.MobileNo + ' , ' + cu.SecMobileNo AS Contect, ln.SrNumber, ln.PaymentDate, ln.Amount from Payment ln inner join customer cu on ln.SrNumber = cu.SrNumber where YEAR(cu.Date) = @Year and MONTH(cu.Date) = @Month";
string connstring = ConfigurationManager.ConnectionStrings["Data"].ConnectionString;
using (OleDbConnection con = new OleDbConnection(connstring))
using (OleDbDataAdapter da = new OleDbDataAdapter(query, con))
{
da.SelectCommand.Parameters.AddWithValue("@Year", yearPart);
da.SelectCommand.Parameters.AddWithValue("@Month", montsPart);
DataTable dt = new DataTable();
da.Fill(dt);
dataGridView1.DataSource = dt;
}
}
catch (Exception ex)
{
MessageBox.Show("Data Not Found - " + ex.Message);
}
}
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]