Not like that! Your code will be vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]
It's not quite so simple to do that with an
IN query, but it's not too bad - for example:
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand("", connection))
{
var sb = new StringBuilder("SELECT * FROM GENTM02 WHERE ID = @ID");
command.Parameters.AddWithValue("@ID", 84);
var parameterNames = new List<string>();
foreach (string part in textbox1.Text.Split(","))
{
string name = "@KOD" + parameterNames.Count;
command.Parameters.AddWithValue(name, part);
parameterNames.Add(name);
}
if (parameterNames.Count != 0)
{
sb.AppendFormat(" AND KOD IN ({0})", string.Join(", ", parameterNames);
}
command.CommandText = sb.ToString();
var ds = new DataSet();
var da = new SqlDataAdapter(command);
da.Fill(ds);
}
Submit an article or tip