Don't ever build a query this way! The input variable, inputCity, is typically retrieved from a TextBox control on either a Windows form or a Web Page. Anything placed into that TextBox control will be put into inputCity and added to your SQL string. This situation invites a hacker to replace that string with something malicious. In the worst case, you could give full control of your computer away.
Using parameterized queries is a three step process:
- Construct the SqlCommand command string with parameters.
Declare a SqlParameter object, assigning values as
appropriate.
Assign the SqlParameter object to the SqlCommand object's
Parameters property.
|