following are some MySQL queries :
1]
string sel=SELECT u.Id as ID,u.Name,u.IName,s.FId,s.TId,s.data,s.Date,s.ID as Id,s.iurl,s.Id as SpId,s.ITitle FROM mydb.userdb as u, mydb.psp as s WHERE u.Id=s.FId AND s.FId='" + Session["UId"].ToString() + "'order by s.Id DESC";
2]
string postlob = "Insert into mydb.`dbo.sp`(ITitle,FId,TId,D,imageurl,SendDate,d,dn)SELECT ITitle,FromId,ToId,data,iurl,Date,0,0 from mydb.personalscrap where Id='" + test + "'";
3]
string deletpass = "delete from mydb.pesp where Id='" + test + "'";
4]
string postlob = " INSERT INTO mydb.sp2(ITitle, pbyid,`Name`, sid, data, fstatus, iurl, date, pid,d,dn)SELECT(select ITitle from mydb.psp where Id = '"+test+"' ) ,(select FId from mydb.psp where Id = '"+test+"'),(select `Name` from mydb.user where Id = '1'),FId,(select data from mydb.psp where Id = '"+test+"'),FStatus,(select iurl from mydb.psp where Id = '"+test+"'),(select date from mydb.psp where Id = '" + test + "'),(select max(Id) + 1 from mydb.sp2),0,0 from mydb.`dbo.tbl` where Id = '" + Session["UId"] + "' AND FStatus = '1'";
5]
string queryupdate = "Update mydb.psp set data='" + sugg + "' where Id='" + test + "'";
please help me to make above queries sql injection free.
I go through some article and used them for insert queries but now when insert query nested with select query then how to perfoem parameterized query to avoid sql injection.
I also want to get know how to pass parameters here
MySqlCommand cmd = connection.CreateCommand();
cmd.CommandText = SelectQuery;
MySqlDataAdapter ada = new MySqlDataAdapter(cmd);
DataTable dtt = new DataTable();
ada.Fill(dtt)
return dtt;