I recomend you to use named parameters instead:
SqlCommand sc = new SqlCommand("Select * from TableTranasction where
CustName = @CustName");
sc.Parameters.Add("@CustName", userInput);
Sergey
A_PK wrote:
> if my strCustName consist of symbol like "&" and others ??
>
> there is a way to treat strCustName as a String, I just forget the way of
> doing it.
>
> Just treat that every value of strCustName as a whole string...
>
>
> "Manuel Meitinger" <(E-Mail Removed)> wrote in message
> news:41ca82b0$(E-Mail Removed)...
>
>>>the strCustName is a dynamic field, choosen from a List of Companies.
>>>
>>>then I got one select statement....
>>>"Select * from TableTranasction where CustName = 'strCustName'"
>>>
>>>The above query work perfectly for ABC Trading and XXX Company, but when
>>>user choose Peter's Company, then my above mentioned query will encounter
>>>problem.
>>>
>>
>>
>>Peter answered your question already!
>>
>>AFTER obtaining strCustName AND BEFORE making the query, replace every ` '
>>` in strCustName with two ` ' ` (that is ` '' `)
>>
>>( BTW, I do believe your code rather looks like "Select * from
>>TableTranasction where CustName = '" + strCustName + "'" )
>>
>
>
>
|
Similar Threads
