This is how I did this sql server 2000 string in vb.net:

"FROM TBL_TravelMain WHERE TravelMain_Mlv = '" & MLVTrimString & "'"

In C# you can't use the & something &.
How do I put this in C#, or what do I replace the & with?
Thanks,
Trint

.Net programmer
(E-Mail Removed)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Trint,

You maybe did this in VBNet, however in that it is as wrong as in every
dotNet language
it has to be

.....FROM TBL_TravelMain WHERE TravelMain_Mlv = @MLVTrimString"

And than use the XXXcommand.parameters, here the link for SQL
http://msdn.microsoft.com/library/de...eterstopic.asp

I hope this helps?

Cor

Hi Trint,
> This is how I did this sql server 2000 string in vb.net:
>
> "FROM TBL_TravelMain WHERE TravelMain_Mlv = '" & MLVTrimString & "'"
try

"FROM TBL_TravelMain WHERE TravelMain_Mlv = '" + MLVTrimString + "'"


Martin

Trint,

Replace the & with + signs. Don't forget to terminate the line with ;

Hope this helps.

> "FROM TBL_TravelMain WHERE TravelMain_Mlv = '" & MLVTrimString & "'"
>
> In C# you can't use the & something &.
> How do I put this in C#, or what do I replace the & with?

The C# equivilant to & is +. However, the code in your example is vunerable
to SQL injection attacks. You should use a parameterized query instead. The
following example shows how to use SqlCommand and SqlParameter:

SqlCommand cmd=new SqlCommand();
cmd.CommandText="SELECT * FROM TBL_TravelMain WHERE
TravelMain_Mlv=@TravelMain";
cmd.Parameters.Add("@TravelMain",SqlDbType.VarChar).Value=MLVTrimString;

Anders Norås
http://dotnetjunkies.com/weblog/anoras/

Cor,
This is in a SQL statement in C# and the equivilant to "&" turns out to
be "+".
Thanks,
Trinity

.Net programmer
(E-Mail Removed)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

> Cor,
> This is in a SQL statement in C# and the equivilant to "&" turns out to
> be "+".

Trinity,
I think Cor is pointing out that your code does not follow best practices
for data access. I has a SQL injection vunerablity.
SQL injection is a technique for exploitiong applications that use client
supplied data in SQL queries without handling potentially dangerous user
input. If the variable MLVTrimString in your example originates from a input
field or similar and the database user has sufficient privelidges, an
attacker can enter '; DROP TABLE TBL_TravelMain -- into the input field and
actually delete your entire database table.
You should learn how to use classes described on the page Cor referred to so
that you avoid SQL injection attacks.

Anders Norås
http://dotnetjunkies.com/weblog/anoras/