2

I have a problem. How to use variable in SQL question? This code doesn't work:

   cmd.CommandText = "select Id, Name from tblFiles WHERE email = 'CurrentUser'";
   cmd.CommandText = "select Id, Name from tblFiles WHERE email = '+CurrentUser'";
   cmd.CommandText = "select Id, Name from tblFiles WHERE email = '$CurrentUser'";
   cmd.CommandText = "select Id, Name from tblFiles WHERE email =' +CurrentUser'";
   cmd.CommandText = "select Id, Name from tblFiles WHERE email = CurrentUser";

I must download from database date where email is CurrentUser = User.Identity.Name.

 private void BindGrid()
    {
        string CurrentUser = User.Identity.Name;
        string constr = ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString;
        using (SqlConnection con = new SqlConnection(constr))
        {

            if (CurrentUser != null)
            {
             using (SqlCommand cmd = new SqlCommand())
             {
                GridView GridView1 = LoginView3.FindControl("GridView1") as GridView;
                cmd.CommandText = "select Id, Name from tblFiles WHERE email = 'CurrentUser'";
                cmd.Connection = con;
                con.Open();
                GridView1.DataSource = cmd.ExecuteReader();
                GridView1.DataBind();
                con.Close();
             }
         }
     }
 }
Improve this question
4
  • Try this piece of code cmd.CommandText = string.Format("select Id, Name from tblFiles WHERE email = '{0}'", CurrentUser); Commented Sep 15, 2014 at 11:55
  • 4
    @KarthickNS NO NO NO NO NO!!!! That is very very very bad. Commented Sep 15, 2014 at 11:57
  • Yes Marc Gravell, using parameters is the best way Commented Sep 15, 2014 at 12:00
  • @KarthickNS the only way that doesn't get your site hacked... Commented Sep 15, 2014 at 12:02

4 Answers 4

Reset to default
4

You need to make use of Parameters

    cmd.CommandText = "select Id, Name from tblFiles WHERE email = @CurrentUser";
    cmd.Parameters.Add("@CurrentUser", SqlDbType.NVarChar);
    cmd.Parameters["@CurrentUser"].Value = User.Identity.Name;
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

To do what you want you should use parameters. You can read more about them [here].(http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx)

private void BindGrid()
{
    var CurrentUser = User.Identity.Name;
    string constr = ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString;
    using (SqlConnection con = new SqlConnection(constr))
    {

        if (CurrentUser != null)
        {
        using (SqlCommand cmd = new SqlCommand())
            {
                GridView GridView1 = LoginView3.FindControl("GridView1") as GridView;
                cmd.CommandText = "select Id, Name from tblFiles WHERE email = @CurrentUser";
                cmd.Parameters.Add("@CurrentUser", SqlDbType.NVarChar);
                cmd.Parameters["@CurrentUser"].Value = User.Identity.Name;
                cmd.Connection = con;
                con.Open();
                GridView1.DataSource = cmd.ExecuteReader();
                GridView1.DataBind();
                con.Close();

            }
        }
    }
}
Improve this answer

Comments

1

As is noted: parameters are the way to go here. But it doesn't need to be hard - you can use tools like "dapper" to make it painless:

string email = User.Identity.Name;
var row = con.Query("select Id, Name from tblFiles WHERE email = @email",
    new { email }).SingleOrDefault();
if(row != null) {
    int id = row.Id;
    string name = row.Name;
    // ...
}

(here Query creates an IEnumerable<dynamic> based on the columns, and SingleOrDefault selects exactly 0 or 1 rows). All the other methods you would want (ExecuteReader, ExecuteScalar, multi-grid handling, etc) are all there too.

You can also use Query<User> to populate a User by matching columns to fields/properties.

Improve this answer

Comments

0 
cmd.CommandText = "select Id, Name from tblFiles WHERE email = @CurrentUser";    
cmd.Parameters.AddWithValue("@CurrentUser", User.Identity.Name);

This should add parameters to your command.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.