Method param in string variable

[Looch]

All,

I'm trying to output [Select * from Table1 where Column1 =
'FirstName'] but I can only get [Select * from Table1 where Column1 =
'" + name + "'"] (brackets for clarity) when using the code below.

How can I "break" into the query variable in the InsertName method to
add the name parameter to the variable query?

public class MyClass
{

private string query = "Select * from Table1 where Column1 = '" + name
+ "'"";

public void InsertName(string name)
{

Console.WriteLine(query);

}

static void Main (string[] args)
{

string variable = "FirstName";

InsertName(variable);

}

}

 

[DaveL]

SqlConnection oConn = new SqlConnection(ConnectionsString)

SqlCommand = oCmd=new SqlCommand()
oCmd.CommandText="Select * from SomeTable with (nolock) where
SomeName=@Param1";
oCmd.Parameters.Add("@param1,SqlDbType.Varchar,30).Value="Hello";

oCmd.Connection=oConn;
oConn.Open()
oCmd.ExecuteReader();

Somthing like the above should do it for you
DaveL

 

[Jeff Johnson]

I'm trying to output [Select * from Table1 where Column1 =
'FirstName'] but I can only get [Select * from Table1 where Column1 =
'" + name + "'"] (brackets for clarity) when using the code below.

How can I "break" into the query variable in the InsertName method to
add the name parameter to the variable query?

public class MyClass
{

private string query = "Select * from Table1 where Column1 = '" + name
+ "'"";

public void InsertName(string name)
{

Console.WriteLine(query);

}

static void Main (string[] args)
{

string variable = "FirstName";

InsertName(variable);

}

}

First, you shouldn't even be trying to do what you're doing (dynamic query
string generation) because that's just asking for SQL injection. Use a
parameterized query like DaveL showed.

However, I'm replying because you don't appear to understand the concept of
scope. Just because you name the argument of the InsertName() method "name"
does NOT make it the same as the "name" variable you have in your
class-level variable (field) called "query." In fact, this code should have
given you a compile error because "name" is not defined. You'd need to do
the string concatenation inside the method. In fact, this wouldn't work
either:

public class MyClass
{
private string _name;
private string query = "Select * from Table1 where Column1 = '" + _name>
+ "'";

public void InsertName(string name)
{
_name = name;
Console.WriteLine(query);
}
[...]
}

The query variable gets assigned once. Just because you used a variable
during its assignment does not mean it will dynmically update itself if
because you change the value of the variable.

But again, there are very few times you'd ever want to build SQL
dynamically. Use parameterized queries. Tattoo that on the inside of your
eyelids....