Mega Code Archive
The use of a parameterized SQL statement (C#)
<![CDATA[
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.SqlClient" %>
<%@ Import Namespace="System.Configuration" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
SqlConnection MyConnection;
SqlCommand MyCommand;
SqlDataReader MyReader;
SqlParameter CityParam;
SqlParameter ContactParam;
MyConnection = new SqlConnection();
MyConnection.ConnectionString = ConfigurationManager.ConnectionStrings["DSN_Northwind"].ConnectionString;
MyCommand = new SqlCommand();
MyCommand.CommandText = " SELECT * FROM CUSTOMERS WHERE CITY = @CITY AND CONTACTNAME = @CONTACT ";
MyCommand.CommandType = CommandType.Text;
MyCommand.Connection = MyConnection;
CityParam = new SqlParameter();
CityParam.ParameterName = "@CITY";
CityParam.SqlDbType = SqlDbType.VarChar;
CityParam.Size = 15;
CityParam.Direction = ParameterDirection.Input;
CityParam.Value = "Berlin";
ContactParam = new SqlParameter();
ContactParam.ParameterName = "@CONTACT";
ContactParam.SqlDbType = SqlDbType.VarChar;
ContactParam.Size = 15;
ContactParam.Direction = ParameterDirection.Input;
ContactParam.Value = "Maria Anders";
MyCommand.Parameters.Add(CityParam);
MyCommand.Parameters.Add(ContactParam);
MyCommand.Connection.Open();
MyReader = MyCommand.ExecuteReader(CommandBehavior.CloseConnection);
gvCustomers.DataSource = MyReader;
gvCustomers.DataBind();
MyCommand.Dispose();
MyConnection.Dispose();
}
}
</script>
<html>
<body>
<form id="form1" runat="server">
<div>
<asp:GridView ID="gvCustomers" runat="server">
</asp:GridView>
</div>
</form>
</body>
</html>
File: Web.config
<configuration>
<connectionStrings>
<add name="DSN_Northwind"
connectionString="Data Source=localhost\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
</configuration>
]]>