Menu
string sqlCmd = @"SELECT r.row_id AS resp_id,
r.name AS resp_name
FROM srb.s_resp r,
srb.s_per_resp pr,
srb.s_contact c,
srb.s_user u
WHERE r.row_id = pr.resp_id
AND u.row_id = c.row_id
AND c.person_uid = pr.per_id
AND UPPER(u.login) = @login
ORDER BY r.name";
OracleConnection con = new OracleConnection(getConnectionString(username, password));
OracleCommand command = con.CreateCommand();
conSiebel.Open();
command.CommandType = CommandType.Text;
command.Connection = con;
command.CommandText = sqlCmd;
command.Parameters.Add(new OracleParameter("login", username));
IDataReader reader = command.ExecuteReader(CommandBehavior.CloseConnection);
reader.Close();
I am trying to add the @login parameter to the above query but it was not adding, Can anyone help me to fix this ?
354
Using parameterized queries is a three-step process: Construct the SqlCommand command string with parameters. Declare a SqlParameter object, assigning values as appropriate. Assign the SqlParameter object to the SqlCommand object's Parameters property.
A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time. The most important reason to use parameterized queries is to avoid SQL injection attacks. Let's take a look at what can happen if we don't use parameterized queries.
Parameterized SQL queries allow you to place parameters in an SQL query instead of a constant value. A parameter takes a value only when the query is executed, which allows the query to be reused with different values and for different purposes.
Use a colon instead (:login).
string sqlCmd = @"SELECT r.row_id AS resp_id,
r.name AS resp_name
FROM srb.s_resp r,
srb.s_per_resp pr,
srb.s_contact c,
srb.s_user u
WHERE r.row_id = pr.resp_id
AND u.row_id = c.row_id
AND c.person_uid = pr.per_id
AND UPPER(u.login) = :login
ORDER BY r.name";
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
