My Blog: sql - C# Passing parameters to stored procedure with EXEC query -

Thursday, 15 April 2010

sql - C# Passing parameters to stored procedure with EXEC query -

i trying pass parameters programme stored procedure in exec format.following code

public void button1_click(object sender, eventargs e)         {             frm = new frmlogin();              oledbconnection conn = new oledbconnection("file name=e:\\vivek\\license manager\\license manager\\login.udl");               seek             {                  conn.open();                  string user = username.text;                 string pass = password.text;                  string query = "exec dbo.checkuser"' + username.text'" + " " + "'password.text'"";                  oledbcommand cmd = new oledbcommand(query,conn);                   cmd.executenonquery();                  // retrieve  homecoming value                  string result = query.tostring();                  messagebox.show(result);                 }                grab (exception ex)              {                  messagebox.show(ex.message);              }                 conn.close();           }

what should write in string query=" "?,i trying pass username , password parameters stored procedure , 1 time query executes , returns result ,i store in variable named result.am doing right way? new c#

please suggest,

thanks

building command text dynamically inserted segments user input dangerous, , leaves open sql injection.

below slight variation parameterizes strings. approach much safer.

string query = "dbo.checkuser";  oledbcommand cmd = new oledbcommand(query,conn); cmd.commandtype = commandtype.storedprocedure; cmd.parameters.addwithvalue("@username", username.text); cmd.parameters.addwithvalue("@password", password.text);

note: updated version sets command stored procedure, instead of plain text.

c# sql .net sql-server

My Blog

Thursday, 15 April 2010

sql - C# Passing parameters to stored procedure with EXEC query -

No comments:

Post a Comment