Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 Question about sqlQuery.Append

Author  Topic 

potn1
Starting Member

33 Posts
Posted - 2010-04-13 : 12:50:24
Hi so I am displaying 4 DropDownList's on my website and have a question about values included within a sqlQuery.Append

Is there a different way I need to write this to include (2) OR statements? I have multiple schoolid's and an Away or Home state that I need to reference. I wasn't sure if the brackets needed to be changed at all with (2) OR + (2) AND statements. Any help is appreciated. Thanks!

sqlQuery.Append("WHERE HomeSchoolID <> 597 AND HomeSchoolID = '" + Convert.ToString(Session["schoolid"]) + "' OR AwaySchoolID = '" + Convert.ToString(Session["schoolid"]) + "' AND (SC.state='" + Convert.ToString(Session["state"]) + "' OR SC2.state='" + Convert.ToString(Session["state"]) + "') ");

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2010-04-13 : 14:50:05
Your code is vulnerable to SQL injection. You should instead write parameterized queries rather than concatenating it. Please do a search on these topics for more information.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site